1. Andrew Mumford says:

    In case it matters to you,

    “Three years later, we see — from Leica — the first piece of C2PA-equipped hardware that photographers (granted, well-healed ones) can benefit from.”

    well-healed = well- heeled i.e rich people with costly pristine footwear unlike the rest of us peasants with broken down worn out shoes.

    • Carl Seibert says:

      Now now. Lots of starving artist photographers use Leicas. That said, your etymology is literally (ouch) spot on. Go to a gathering of people who own Leicas. The occasional professional photographer excepted, you will see some mighty fine footwear!

  2. Dennis Walker says:

    Thank you Carl for pointing out all the ugly details in such a wonderful nonchalant way! Unfortunately the details are necessary if we want to move forward, and this is a nice springboard to cuss and discuss all the bits.

    Your point that you don’t need a C2PA-compliant camera (e.g. Leica M11-P) to digitally sign photos is right on track. Hint, get your signing certificates now before the price goes up.

    • Jeremy says:

      Get a signing cert (Public/Private key pair) from whom? The advantage of the key being embedded in the camera is that the user doesn’t have to acquire one and the CA (certificate authority) is presumably the manufacturer (Leica) or Adobe, though it could in theory be any CA based on my understanding.

      Acquiring your own cert might allow you to retroactively sign your archives. In essence, putting an accountability and integrity stamp on the state of your archives. I’m not aware of a tool that would easily allow for that yet.

      • Carl Seibert says:

        The certificate I was talking about would be to allow you to sign your work after you’ve edited it, say in Photoshop. Which you would have to do to keep the chain intact when you turn in your work.

        I just paid my yearly Adobe bill. Maybe for that kind of money they could include a coupon for a cert?

  3. Jeremy says:

    I’m not sure which vulnerability you’re talking about Carl, but in the “fancy” attacks realm we often say that “physical access is root access”, meaning having control of the device implies full control over it. Expanding on this concept, my concerns are how the signing keys are generated and stored in the camera. In the past, we’ve seen lots of key material being hardcoded into the firmware which required a simple(relatively) disassembly of the firmware binary to extract the key(s). The signing keys are the holy grail. For a more advanced attack, an attacker may discover a way into an interactive maintenance mode to extract firmware from the device itself. One way to protect against this is to embed the encryption mechanisms in a dedicated chip that not only does the encryption but also stores the key material (Ala TPM in PCs/Windows). It’s much more difficult to attack TPM (not impossible). Cracking SHA256 is almost never the answer, at least until maybe quantum computing is a real thing.

    While this /is/ conjecture, I spent 20y around and in cyber security performing some of these attacks myself. Once the stakes are raised, all it will take is enough time and money to crack the bypass the security mechanisms.

    CAI has done an admirable job explaining their risk assessment, what they ARE trying to protect against and what they are NOT trying to protect against. The code, the discussion board, and the project are all very open for public comment. The manufacturers, on the other hand, have been very tight lipped. My questions would be to ask what kind of risk assessment/s they’ve done, what kind/s of threat actors they’re trying to mitigate, can the keys be revoked on camera and refreshed, and define their security boundaries – in other words, “show your work”. Adding CAI is a great step, and I’m eagerly awaiting for its addition to my Z8/Z9, but I’ve also been in the security industry long enough to see the patterns of an industry adopting new security mechanisms and the common ways they fail.

    • Carl Seibert says:

      >Once the stakes are raised, all it will take is enough time and money to crack the bypass the security mechanisms.

      Exactly. We’re talking about retail-level crimes here, not high stakes crimes. If somebody finds a cheap and dirty cyber attack, they’ll do it, sure. But it’s my position that, for the most part, we’ll just see bone simple physical or human factors attacks. I mentioned putting fake C2PA icons on your fake news site. Need a camera certificate? Just buy – or steal – the darned camera. Instead of busting their butt finagling the key out of the camera, they could use the so-called “analog hole” and use their stolen camera to copy their fake image. The quality won’t be as good as what could be achieved with a proper hack but that doesn’t matter. Consumers of disinformation want to believe. They won’t notice the flaws.

      I think we all need to use whatever voice we have to urge all the parties, C2PA, camera makers, and developers, to carefully consider where the real real-world threats will be and try to mitigate them. Society-wide, we have a crappy record at this. We are great at making systems so “secure” that users can’t use them while not noticing some character pluck a Postit note off a wall to do the world’s largest (at the time) credit card breach.

      I have more of a warm and fuzzy about Leica’s embedded key than Sony’s software-only approach. But I leave that argument for folks with your expertise. If Sony’s approach leads to a few more breaches but a lot more cameras on the street with signing capability, that would seem to be a win on balance. End of the day, the bad actors will show us where the soft spots are.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.