The Hacker Factor Blog

Black Friday kicks off the holiday shopping season. It is followed three days later by Cyber Monday. So I'm sure you're thinking those age old questions, like "What do I get Grandpa?" and "My sister is so hard to shop for, will she like this?"

IT workers frequently spend long hours with coworkers, so it is certainly appropriate to get your admin, programmer, or support staff a gift. But what is a good gift for the security-minded individual? Most security folks like a good laugh. (With all the patches and vulnerabilities and user problems, you gotta learn to laugh.) They also like cool toys. So, here''s a few suggestions:

Gift #1: The Password Directory

The Password Directory from The Container Store looks like a little black address book, but it has spaces for websites, usernames, and passwords. There is even a field for writing your "Hint" -- just in case you forget. (I swear I'm not making this up!) And just in case you forget, the last page has a list of common social sites and search engines like "www.facebook.com" and "www.google.com".

Most security-minded people will find this gift to be hours of entertainment. Forget the Post-Its on the monitor, you can now have all of your secret information written in one convenient book.

Gift #2: The Laptop Pocket

Laptops have a lot of unused real estate. The Container Store's Laptop Pocket sticks to the lid of your laptop, creating a pocket for storing cords, pens, paper, or even your Password Directory.

Gift #3: WiFi Finder

A WiFi Finder Keychain is a small device that tells you if you are near a wireless access point. These have been around for years, but now they come in a variety of shapes and sizes.

Gift #4: Pringles!

Pringles Potato Chips are the perfect gift for any computer geek. Besides being yummy, you can turn it into a great WiFi antenna.

Gift #5: USB Record Player

Bed Bath and Beyond has a USB LP Record Player. Ever hear of Eddy and the Tide's album Looking For Adventure? What about American Gypsy's self-titled album? And the LP version of Talking Head's "Burning Down the House" (album Stop Making Sense) has better editing than the remastered CD release. Not everything is online, and not all music is available on CD. But with this cool gift, your admin can still convert all their old vinals to MP3.

Most security geeks are packrats and like their tunes when they peruse pcap logs. This gift lets them listen to their favorite hits from when they were programming on Apple ][e and Atari computers.

(If only there was a similar converter for tapes... I've only got Renee Alper's Wheelchair in High Gear on tape, and "Criminal Rag" is just too good to lose.)

Gift #6: Adjustable and Light-up Keyboards

Alright, the Ergodex DX-1 Programmable Keyboard may be designed for people with severe physical, upper extremity, vision or cognitive disabilities, but the entire thing is just cool! From their web page:

This keyboard consists of a tablet and 25 adhesive-backed keys. Although the adhesive forms a strong bond, the keys can be moved by twisting them off, enabling them to be moved around on the surface. The keys are programmable to perform any number of tasks, including controlling single or multiple functions such as moving entire blocks of text, launching web sites, performing operations that otherwise require multiple key combinations, or performing double mouse clicks with a single touch.

Alternately, you can go with the Luxeed's USB keyboards. They have built in programmable lights.

Gift #7: Thumb Drives

USB thumb drives are coming in more and more cool shapes. If you don't know what to choose, then consider getting your hacker one of the Mimoco figurine USB drives. Their Star Wars and Domo X are sure to be a hit. (If you don't know what Domo-Kun is, watch the video. It's very popular at hacker conferences.)

Understanding image analysis is very important. Otherwise, you cannot tell fact from fiction. Equally important is the need to understand how not to do image analysis. Otherwise charlatans may try to pull a fast one over you.

In my previous blog entry, "Bad Science: How Not To Do Image Analysis", I debunked the work of an anonymous troll who called himself "TechDude". TechDude used a sample biased, false data, and artifacts created by his own tools to conclude that the Obama certificate of live birth (COLB) was fake. TechDude also used false credentials (he impersonated another person) in order to sound authoritative. Following my public critique of his report and outing of the impersonation, TechDude vanished. Even his strongest supporter, "Texas Darlin", pulled all of TechDude's reports from her blog. TechDude was a fraud and used bad science to support a false conspiracy.

Today, there is only one person who continues to propagate the "COLB is fake" conspiracy. He calls himself "Ron Polarik" (an anonymous pseudonym -- not his real name), and he also uses bad science to support his claims. His latest report, Polarik's final report: Obama's 'Born' Conspiracy is accompanied by a YouTube video. (Since he keeps restricting access to it and moving it around, I am making a copy available here. He has also moved his blog report, so here's the updated link.)

Moot Point

Before I begin evaluating Polarik's claims, I would like to point out that the entire claim -- that Obama was not born in Hawaii -- is false. Representatives from the State of Hawaii have repeatedly authenticated Obama's COLB.

• 27-June-2008. Janice Okubo from the Hawaii Department of Health confirmed that the document was valid.
  
  
• 15-Aug-2008. Politifact validated the information.
  
  
• 31-Oct-2008 (alternate link). Quote: Health Department Director Dr. Chiyome Fukino said today she and the registrar of vital statistics, Alvin Onaka, have personally verified that the health department holds Obama's original birth certificate.

Hawaii confirmed that Obama has a real birth certificate from Hawaii. Regardless of whether the document on the web is real or tampered, the argument is moot; an authentic document exists. Thus, the conspiracy has no basis.

Now, given that Hawaii confirms it, why would they release a fake COLB when they could just as easily release a new one? (Occam's Razor: it is easier to just release the real one.)

Polarik's Claims

On Polarik's blog and video, he makes four key claims about the COLB.

Claim #1: The Pixel Problem
Polarik claims that a zoom-up of the letters contains off-color pixels that do not belong. For example, zooming in shows gray dots in the middle of the black letters. He claims that this means that the letters were replaced.


There are actually many problems here.

First, the highest copy quality of the COLB contains no instances of the word "BIRTH" that looks like this. Every instance has that green thatched background around the letters. In fact, the green thatched background is visible in every copy of the COLB. Thus, Polarik has tampered with the data in order to remove the green thatched background.

Second, along with the missing green from outside the letters, Polarik claims that there should be a green thatched pattern within the letters ("O", "B", etc. have internal areas that should contain green). If you look at the child's name on the big image, you can clearly see the thatch in the letters "C", "O", "B", and "A". However, the green thatch is not as clear as the rest of the image. This happens because the image is at a very low quality: JPEG uses a lossy compression algorithm that drops off low contrast colors and preserves high contrast. The black text on light background is preserved, but the pale green thatch on light green paper blends together when combined with the high-contrast black lettering.

Third, the loss of the green background when scanned is intentional. Security paper, such as the green thatched background, is designed to distort when scanned. That's a security measure. Thus, even if Polarik had not tampered with the image, removing the green from around the letters, the thatch background should not be crisp.

Fourth, the colored pixels within the solid black lettering is fully expected from a scanned document. Scanners are not perfect. They introduce noise into the image. So let's do a scanner test...

The biggest COLB online is 2550x3300 pixels. At 300dpi, that is 8.5"x11" (a full sheet of paper). I scanned in a portion of a Newsweek article at 300dpi. The portion that I selected contains text at various sizes and thicknesses. Looking at the paper version, it all looks uniform and black. However, the scanned image (full color, no enhancements, scanned on an HP Scanjet 3570c) shows that the black text contains a variety of colors.



And zoomed in to 400%:


The areas of text that should be all black are not uniformly black. Combining these "non-black" areas with the JPEG lossy compression (which uses 8x8 blocks) yields square patches that are different dark colors. These look like the exact same artifacts that Polarik claims indicate a forgery. Polarik is wrong -- they are nothing more than scanner artifacts.

On Claim #1, Polarik has manipulated the data, forgot about the purpose of security paper, ignored the image quality, and incorrectly determined that scanner artifacts are signs of a forgery.

Claim #2: Different Borders
Polarik claims that the border looks different from other examples of Hawaii's birth certificate. In particular, he says that it looks blurry. We don't know the history of the actual image (was this a scan converted to JPEG, resaved as another JPEG, etc.). What we do know is that the image is at a very low quality, and JPEG loses fine details when saved at a low quality.

In the video, Polarik continues to say that the blurriness is because one border was applied on top of another. (This is a fun argument because it is so stupid.) There are many ways to paste one item on top of another. The most common is "overwrite" -- the new border replaces the old one. Then comes "selection" -- imaging selecting the black thatched background and not selecting all of the middle parts -- that can be very hard with an image like this. When pasting one thatch onto another, you should see a consistent shadow or a herringbone pattern. Yet, neither is present. Finally, there is "merge". Merge could make it blurry, but would also introduce the shadow or herringbone pattern, which are not present.

Polarik incorrectly concludes that the border was added to the image. However, I and other analysts have been unable to identify any sign of digital manipulation.

Hawaii (and every other state) uses a variety of forgery deterrents and regularly change the deterrents. A very fine black-thatched border, like the light green thatched background, should not scan correctly. Depending on the scanner, it may appear blurred or bi-tonal or contain a different patterned than the one found on the paper. Thus, the dark, blurry background is more likely due to the security paper and not due to manipulation. (Some of the other scans of Hawaiian birth certificates appear bi-tonal -- a dark, wide thatch with a light gray thatch inside.) Then again, without a copy of the official document and a list of the various and ever-changing security methods employed by Hawaii, any visual analysis of "it looks wrong" is nothing more than speculation.

Of course, borders could be added to a fake document, printed, and then scanned in and I would not be able to detect it. But that isn't what Polarik is claiming happened. He says that they were added to the digital image. That claim is not supported by the image compression level, color scheme, and other artifacts.

On Claim #2, Polarik is both wrong, and not in a position to validate even if he were right.

Claim #3: "The missing seal" and "The missing fold"
Polarik claims that the online COLB is missing the official seal and folds.

I don't know what to say here except "Polarik is wrong". He seems to not mind hyperfocusing on pixels in the text, but ignores the pixels that disprove his conclusion. This isn't just "selection bias", this is intentional ignorance.

Here is a section of the large online document. I have only cropped the image -- no color enhancement and no scaling. The section comes from the lower middle of the page. The green thatched background normally appears without any other background. However, above the date stamp on the paper is a round area of horizontal lines that go through the green thatch. This is the official seal. If you mouse-over the image below, you will see an enhanced image: I applied an edge detection algorithm that shows the horizontal lines in white.



Polarik says that you should be able to see the embossed pattern on the scanned image without image enhancement. The quality of the seal's appearance depends on the scanner and image quality. Remember: the seal is not a change in color; it is a change in texture that the scanner may not capture well. In this case, I see it above, but I use enhancement to make it easier to see.

Polarik refuses to acknowledge the seal because admitting it exists would damage his claim.

Polarik also claims that the second fold is missing. In this regard, I must admit that I do not see the second fold. However, I have scanned many pieces of folded paper and not seen folds (scanners pick up color, not texture). What I do see in the COLB is evidence suggesting a fold. Follow the right edge of the right border down the page. It has a slight lean inward, meaning it is crooked. At about a third of the way from the bottom, the border changes direction, bending outward. It changes direction where the second fold should be located. And since the green thatched pattern does not show any breaks or separations, it is very unlikely that this is a paste or splice.

Claim #4: The Fact Check Forgery
Polarik claims the border and seal do not match the form from 2007 or 2008. He forgot to mention that the bottom corner says "11/01" meaning it is the 2001 form, and not either 2007 or 2008.

There is a difference between "real" and "authentic". Digital image analysis can tell if an image has been manipulated, but not if the original source was authentic. In fact, any analysis based strictly on the online image cannot be used to validate the authenticity of the border.

The only one who can say whether the border and document are authentic is the state of Hawaii. And Hawaii has been saying that the accusation of a false COLB is "pretty ridiculous." As far back as 15-Aug-2008, they have said that the COLB image is "a valid Hawaii state birth certificate". Since Polarik has never claimed to be an expert in Hawaiian birth certificates, I'm going to have to go with the State's opinion here and conclude that Polarik is wrong.

Polarik's Changing Background

So none of Polarik's claims hold up to inspection. What about Polarik's credentials? I mean, TechDude had some really impressive credentials... until it was discovered that he was a fraud and claiming credentials that he didn't have.

Polarik continually says that the name "Ron Polarik" is not his real name. It is a pseudonym. He says he fears threats from Obama supporters. This claim reminds me of Ashley Todd -- the campaign worker who claimed to have been beaten up by an Obama supporter, but that turned out to be a hoax.

My real name is Neal Krawetz and I stand behind my analysis. Polarik, on the other hand, stands behind anonymity.

Trolls frequently add to their backgrounds in order to sound more impressive. As expected, Polarik has altered his background credentials. Four months ago, he described himself as:

I've been working with computers, printers, and typewriters for over 20 years, and given a set of printed letters, I can discern what kind of device made them. Printer output is quite different from the text created by a graphics program, and even if a document looks "official," it may not be.

In the recent video, he describes himself as:

I'm Dr. Ron Polarik. I have a Ph.D. in Instructional Media. And my expertise is in computer graphics and the use of computer peripherals, such as printers and scanners, to input digital images into the computer. I've done a lot of work with reading web pages, where image size and image quality are very important. I'm fully qualified to spot inconsistencies and anomalies in images, especially digital images, given my expertise.

So let's see...

• "Dr. Ron Polarik". Many years ago I saw a comedy troupe called Duck's Breath Mystery Theater. They had a skit called "Ask Dr. Science". In the show, Dr. Science legally changed his first name to "Doctor" in order to give his theories more credibility. ("There is a thin line between ignorance and arrogance," he says, "and only I have managed to erase that line.")
  
  It seems that Ron Polarik has now tried the same thing -- he has now given himself a Ph.D. If he had this credential, then why did he not say so months ago? It would have given his bogus analysis the appearance of more credibility. Instead, it just came out of nowhere.
  
  
• He says he has a Ph.D. in Instructional Media with an expertise in computer graphics. I'm curious which school. Most schools with "Instructional Media" courses offer doctorates in Education, but not in the specific niche of media (however, a few do). In addition, a degree in education or media is not the same as a degree in computer security or a certification in forensics or related experience.
  
  
• He claims to do a lot of work with web pages where image size and image quality are very important. Uh, huh? Most web page designers care about speed-to-load. Most images found on the web are very low quality. While quality is important for an analyst, the quality is not very important to most people who use the web. And, by the way, Polarik never analyzed nor mentions the quality of the COLB image.
  
  
• Wait... what are those credentials again? "input[ing] digital images into the computer" and "reading web pages". Does this sound like someone with real qualifications?
  
  
• He claims to be "fully qualified" to spot inconsistencies in images, especially in digital images. This is really cool... since digital image forensics is a relatively new field with only a handful of experts in the nation... and Polarik isn't one of them.
  
  
• For someone with a Ph.D., he makes very strong statements that I have never heard from someone with a Ph.D. "Indisputable evidence" and "without a doubt a forgery". Every Ph.D. that I know always holds back a little from making absolute statements, especially when the techniques are not 100% accurate.
  
  To date, no image analysis technique is 100% accurate -- that's why real forensic examiners use a variety of methods and algorithms. Polarik, on the other hand, has used nothing except overly zoomed pixels and a selective bias (he refuses to acknowledge that the seal is present).
  
  
• And let us not forget the unprofessional behavior. Having a Ph.D. does not mean you know everything. However, every Ph.D. candidate has endured so much political bickering, that it becomes ingrained. If you thought the British were polite when they insult you, then you should really see academic professors go at it. "The battles are so fierce because the stakes are so small."
  
  In contrast, my site admin (the ever-talented Ms. Kim) banned Polarik from submitting comments to my site because he is outright rude an insulting. Some quotes from his banned comments:
  

  Y'know what I love about Lefties? How they posit nonsense in response to honest research. Better, still, how folks like yourself are content to simply blow smoke up my butt without any valid examples to prove their point.
  
  Neil, you are a hack and a phony. I wrote a rebuttal to your babbling, but it never was posted. Well, I guess that's one way to silence me and maintain your superiority complex in the process.
  
  Memo to Neil: you're not the Oracle of Delphi. You cannot just get by on your word alone.
  
  Neal, you still have not printed my challenges to you, which means that you picked a very appropriate name for your website. HackerFactor contains the stem "Hack" which is exactly what you are.
  
  Problem is, I called your bluff and you never posted it. What a wuss! I know everything there is to know about PCA, thanks to my Masters in Statistics, and I challenged you to answer basic questions about PCA output that you should have been able to answer if you knew your asterisk from your elbow about PCA.

  
  (As an aside, I find it interesting that he forgot to mention a "Masters in Statistics" in his video.)
  

  I admire the resume you posted on your site. It's so nicely padded, that I'd like to use it on my new memory foam bed.

  
  (As an aside, my resume is not posted on my site. I can only assume that he has misinterpreted my very short bio as a resume.)
  
  On other blogs, where he has not been banned, he is equally outright rude and insulting. These are not the insults of a Ph.D. These are the insults of a troll. Someone with a Ph.D. would do the insulting by discrediting the research, before addressing the person.

Polarik's findings are not supported by the data. He has manipulated evidence, selectively ignored facts, and overlooked obvious findings. He has made over-reaching and gross assumptions, which vary from baseless to provable inaccurate. Moreover, he claims vague credentials that are unsupported by his work. I have serious doubts about Polarik having a Ph.D., but he sure has a lot of BS.

A friend sent me this image... He said he saw it on Digg.



The question is: how was this done?

The Digg subject line is "The Shadows Are All Wrong", and many of the Digg comments simply say it is fake. It is one thing to claim a picture is computer generated or digitally enhanced, but it another to explain how it was done.

A few of the Digg comments actually ventured into explanations:

• IIECONII wrote: This "witchcraft" is called painting a shadow.
  
  
• OneHandBandito wrote: Obviously not the real shadow. (Neal adds, "Obviously...")
  
  
• Jimmni tried to explain it:
  

  It's a plate attached directly to a wall (and not raised above it) with a pretend shadow painted around it to give the impression of 3D and the impression of a different shadow. It's not photoshopped, it's not 3D, it's just mildly clever. The illusion would also only work from fairly specific angles, so in real life would immediately look faked unless you walked up to it from just the right angle.

  
  
• PsychoNavigator said, "The shadows are all wrong the bottom one appears to be from a stencil and spraypainted. Also the shadows on the bricks give away the suns positions. Nice work though."
  
  Neal adds: I decided to measure the shadows. All are reasonable. And the stencil vs spray paint? Uh... no.
  
  
• christinme commented, "dumb photoshop. Any amateur could do this."
  (Neal adds: "Yes, but look at all of the amateurs who do not know how it was done!")

This image from Digg is hosted on a Russian site (not workplace safe and may contain malware!). But it didn't start there. In the bottom corner is the "worth1000.com" logo.

Worth1000 is one of my favorite photoshop contest sites. They sponsor contests and receive artwork from amateurs and professionals. And yes, all of the pictures are photoshopped (sorry Jimmni -- you're wrong).

This particular image may be making Digg today, but it was originally created for an "Alternate Reflections and Shadows" contest held in October 2005. This picture is over three years old.

Witchcraft

Alright, so we know that the image was photoshopped, but how was it done? Was the shadow added? Is the entire thing fake?

As it turns out, it was really a simple edit -- visible when recoloring the image. I did the recoloring using a temperature pseudocolor over the intensity. Basically, lighter colors are more red and darker colors are more blue. (Mid-range colors are greenish.)


(Mouse over the image to see the colorized image.)

The main thing to notice is subtle, but definitely there. The lower curve of the "3" has a different red-green background pattern compared to the rest of the image. Since it is different, it was added.

As far as I can tell, the shadow isn't fake and the "2" was not added. Instead, the metal plate used to have a "2" and was changed to be a "3". The artist kept the top curve of the "2" and changed the bottom half to look like a "3".

Other analysis techniques, such as error level analysis (ELA) and principal component analysis (PCA), identify a rough rectangle area over the lower left quadrant of the metal plate.

Now that you know what to look for, you can see other visible problems. For example, look at the start and end of the "3". The inside and outside edges are perfectly lined up vertically. True vertical alignment almost never happens in real life. Knowing that they align perfectly, I copied the top of the digit to the bottom (flipping vertically). There is a solid match. The artist duplicated the metal plate to complete the "3", then replaced the background and reflective edge on the metal. (Very clever.)

Straight lines show the shadow alignment. The slight difference on the post shadows can be explained by slightly bent posts. (Don't assume they are straight since you cannot see them.) The red shows where edges align. The blue shows where the "2" should align.

The top of the number was copied and flipped vertically to form the bottom.

Unfortunately, the replication broke the image centering. The "2" appears centered in the shadow, but the bottom of the "3" is too low on the metal plate.

Overall, this is an excellent piece of work. The artist did a very minimal change, it was simple, and it lasted three years without being explained.

For the longest time I have had a "Donate" button on my blog. Since some of my work is unfunded research, I thought it would be nice to receive donations. In all these years, I think 3 humans have ever clicked on the button. (I'm not bitter at all -- I rarely donate so this was more of a social experiment.)

If you notice, the "Donate" button is gone. The button used to go to PayPal -- a company that raises serious security issues all by itself. Today I received an email from them that said:

As part of our security measures, we regularly screen activity in the PayPal

system. During a recent screening, we noticed an issue regarding your account.



Case ID Number: PP-xxx-xxx-xxx [redacted]





For your protection, we have limited access to your account until additional

security measures can be completed. We apologize for any inconvenience this may

cause.



To review your account and some or all of the information that PayPal used to

make its decision to limit your account access, please visit the Resolution

Center. If, after reviewing your account information, you seek further

clarification regarding your account access, please contact PayPal by visiting

the Help Center and clicking "Contact Us".



We thank you for your prompt attention to this matter. Please understand that

this is a security measure intended to help protect you and your account. We

apologize for any inconvenience.



Sincerely,

PayPal Account Review Department



Please do not reply to this email. This mailbox is not monitored and you will

not receive a response. For assistance, log in to your PayPal account and click

the Help link in the top right corner of any PayPal page.

It reads and looks like a phishing scam; I enjoyed the part about "do not reply". However, there are no hyperlinks in the email (most phish link to an impersonating site). The email's header does not contain anything odd -- it really came from PayPal.

Logging into the real PayPal account, I see a similar message. Thus, in this instance, this is not a scam. According to them:

PayPal is constantly working to ensure security by regularly screening the accounts in our system. We recently reviewed your account, and we need more information to help us provide you with secure service. Until we can collect this information, your access to sensitive account features will be limited. We would like to restore your access as soon as possible, and we apologize for the inconvenience.
Why is my account access limited?

Your account access has been limited for the following reason(s):

    * To meet financial service industry regulations, we need more information to help confirm your identity.

Access to some of your PayPal account features has been limited. We apologize for the inconvenience. Please take a moment to respond to this request so we can work to restore your account access as soon as possible.

Uh, what "financial services industry regulations"? They don't say. Considering that PayPal is not a registered bank (except in Luxembourg), not managed like a bank, and not FDIC insured, I don't know what regulations they are referring to. Moreover, nowhere on their site could I find anything that explains the regulations PayPal must abide by.

As long as the account is limited, I can "receive payments, place logos into your auction listings or on your website, and update your account information". However, I cannot "send or request money, electronically transfer funds from your PayPal account, or close your account". Huh? If this were a real bank then I could always close the account.

No Limits on Stupidity

But it gets better... In order to resolve this issue, they want me to upload or fax them:

• Valid photo ID
  
  • Driver's License
    
  • Passport
    
  • Military Identification Card
  
  
• Proof of address
  
  • Utility Bill

Uh... so lets just list all of the things that are wrong here.

1. In order to create a PayPal account, I do not need to provide any of these documents. In fact, as a US citizen, I am not required to have any of these documents. I have friends in New York who never drive -- they have no drivers license. I have friends who have never needed a passport, and many friends who have never been in the military. I also know people who do not own their own home and do not have any utilities under their own name. Thus, real people will be unable to validate themselves.
   
   Real banks only require a tax ID. This can be a social security number or other employment tax ID. You can be homeless (no address), unemployed, non-military, and too young to drive -- and you can still have a bank account. And if I recall correctly, the tax ID is only needed if the bank is FDIC insured (mitigating insurance fraud) or interest bearing (you need to pay tax on the interest). This is why companies that do payday loans does not require a tax ID from clients. (They are not insured and the lender does not pay interest.)
   
   In PayPal's case, they never ask for a tax ID. They are not FDIC insured and they do not pay interest. I see no reason why they need this information.
   
   
2. How will PayPal validate this information? PayPal currently outsources to India. Will workers in India be able to tell if a scan or fax of a Wyoming Driver's License is real? In the airport, TSA usually waves a blacklight over the ID in order to see if it is real. You can't do that with a scanned image.
   
   And what if my passport is from a foreign country? I seriously doubt that any country in the EU or Asia or Russia would assist PayPal in validating one of their citizens with a foreign company. Even in the USA, checking the records is not a free service. Will PayPal charge me for this?
   
   
3. I've written plenty about image fraud. In my presentation about Digital Image Forensics, I give MySpace and Yahoo! as examples. To resolve a dispute, both companies want a copy of your ID to prove it is you... even though they have no means to validate that you are the person in the picture. In this regard, Yahoo! is actually worse than MySpace. MySpace just wants a picture of you -- with no way to prove that the person in the picture is actually submitting the picture and no way to tell if the photo has been photoshopped. Yahoo! wants a fax (I'm not kidding). Faxes are such low quality that any forgery will look real.
   
   In the case of PayPal, they have no means to validate that the person submitting the documents is actually the person in the documents. I can create a PayPal account for the Internet Storm Center, take a headshot of Marc Sachs, look up his home address, doctor up a fake drivers license and fake utility bill and fax it in... and I'm pretty certain PayPal will accept it.
   

To recap: PayPal is asking for information that I may not have, that they cannot validate it if they get it, and even if validated they cannot prove it is me. Again, why do they think they need this?

Duh wha huh?

Adding to the confusion, PayPal has already validated my account. In order to transfer funds out of PayPal, you must provide a real bank account. (Real banks really try to validate people.) PayPal validated the bank account. Therefore, they can associate the PayPal account with a real person.

Ironically, while PayPal does permit adding bank accounts, they will not allow me to delete an account from their system. For this reason, I opened up a special bank account just for PayPal -- it is not tied to any other accounts -- and the bank has been asked to deny PayPal access to the account. When PayPal gets compromised again, the bad guys will get nothing from me.

Besides being unable to remove my bank account, I cannot delete my PayPal account. PayPal won't let me delete it until I first validate myself. (No validation to create, but must validate to delete... sounds backwards.)

And don't even bother trying to get hold of their customer service. Phone calls (when you can find a number) have long hold times, emails either receive no reply or automated unhelpful responses about unrelated problems, and their online "Chat with a customer service bot" just sucks. (If you really need a phone number, refer to the phone list at paypalsucks.com.)

Serious Security

What we have here is a company with a history of compromises. They are asking for information that may not exist and that they cannot justify needing. This sounds like a security risk to me.

If you have never created a PayPal account, then I strongly recommend not starting one. If you use PayPal, then consider not using them. And if you receive a request for this detailed personal information, don't send it.

Every now and then I come across a picture that really makes me say "wow".



On the web, most pictures that are "wow" are usually photoshopped. I've been trying to automate many of the manual heuristics that I developed for evaluating images. My automated tools flagged this image as "manipulated" -- digitally enhanced. However, something didn't seem right. The crisp edges, or blurry boundaries, expected around image splicing isn't there, even though the different error levels are present. Although PCA identifies that the colors are off and luminance gradient finds linear coloring (synonymous with modification), wavelets identify no splicing. And a visual assessment finds other oddities. For example, Cynthia Baron noticed a few things:

There is a small light corner to the left of the child's left eye that looks to me to be left over from the child photo's original background.

The right eye shows signs of having been altered. The inside corder is too light and not quite the right color, and there is something suspicious to me about the extreme positioning of the iris.

Since there are conflicting findings, I decided to contact the photographer...

The Photographer

Dave Roth is an exceptional photographer. I analyzed some pictures from his blog and found no sign of manipulation. Usually when someone modifies a photo, they don't stop with just one.

I was really impressed with the speed that he wrote back to me:

I took this photo back in early 2005 with a Minolta (maybe it was Konica Minolta by then) Dimage 7Hi, that was about a year old at the time.

As far as edits go, I don't think I did any, actually. I know I didn't own photoshop then. I bought Elements in January 2008, and this photo has been posted on three sites legally: Zooomr, Flickr, and JPG Magazine since long before then.

He was also gracious enough to send me the original photo from the camera. (Same big picture found at Zooomr, but prior to Zooomr resaving the image.) This original matched the quantization tables for the camera and shows no sign of manipulation -- it tests as real. It also looks like the picture on the web! So why does the web picture test positive for manipulation?

Photo Edits

Edits come in a variety of forms -- and not all are malicious. In this case, it appears that JPG Magazine did a few simple modifications that ended up making the entire image test as "digitally enhanced". (Below is the picture from Dave Roth. Mouse over the image to see the JPG Magazine photo at the same size. If they look the same to you, then try turning up the brightness on your monitor.)



Here's what Cynthia Baron, Chris Hanson, and I can piece together:

1. The image was scaled smaller. The original was 2560x1920, but the one at JPG Magazine is 658x493. When an image is scaled (larger or smaller), every pixel is modified. This caused the error level analysis to identify the image as being modified, but wouldn't fool most of the other analysis methods.
   
   
2. The image was recolored darker, and the recoloring is not linear. Print magazines usually try a test page and then perform a color correction so that the image looks better in printed materials. The modification isn't malicious; it is a regular practice. Otherwise, dark images may print too dark, and light ones may be too faint.
   
   Another option is that an upload service may have acted as an intermediary and recolored the image.
   
   In either case, the recoloring with scaling caused the changes detected by luminance gradient and PCA. It also accounts for the differences in the eyes; the eyes went from brown to black, one specular vanished, and the coloring in the sclera compressed to form a faux reflection.
   
   
3. Rather than posting the original picture to the web, JPG Magazine posted the color-adjusted print-copy to the web. Thus, posting a modified image.

JPG Magazine could not be reached for comment or validation of the manipulation.

Having gone through this exercise, I am amazed that I could identify the image as being manipulated. Even without any intended deception, the enhancements are detectable.