this post was submitted on 11 Feb 2024
643 points (97.9% liked)

Technology

59197 readers
3261 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

The White House wants to 'cryptographically verify' videos of Joe Biden so viewers don't mistake them for AI deepfakes::Biden's AI advisor Ben Buchanan said a method of clearly verifying White House releases is "in the works."

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 79 points 9 months ago (3 children)

I have said for years all media that needs to be verifiable needs to be signed. Gpg signing lets gooo

[–] [email protected] 36 points 9 months ago (2 children)

Very few people understand why a GPG signature is reliable or how to check it. Malicious actors will add a "GPG Signed" watermark to their fake videos and call it a day, and 90% of victims will believe it.

[–] [email protected] 7 points 9 months ago (3 children)

As soon as VLC adds the gpg sig feature, it's over.

[–] [email protected] 11 points 9 months ago

No, it's not. People don't use VLC to watch misinformation videos. They see it on Reddit, Facebook, YouTube, or TikTok.

[–] [email protected] 4 points 9 months ago

…how popular do you think VLC is among those who don’t understand cryptographic signatures?

[–] [email protected] 1 points 9 months ago

And that will in no way be the first step on the road to VLC deciding which videos it allows you to play...

[–] [email protected] 4 points 9 months ago

Yeah but all it takes is proving it doesn't have the right signature and you can make the Social Media corpo take every piece of media with that signature just for that alone.

What's even better is that you can attack entities that try to maliciously let people get away with misusing their look and fake being signed for failing to defend their IP, basically declaring you intend to take them to court to Public Domainify literally everything that makes them any money at all.

If billionaires were willing to allow disinformation as a service then they wouldn't have gone to war against news as a service to make it profitable to begin with.

[–] [email protected] 22 points 9 months ago (2 children)

I just mentioned this in another comment tonight; cryptographic verification has existed for years but basically no one has adopted it for anything. Some people still seem to think pasting an image of your handwriting on a document is "signing" a document somehow.

[–] [email protected] 4 points 9 months ago

It doesn't help that in a lot of cases, this is actually accepted by a shit ton of important institutions that should be better, but aren't.

[–] [email protected] 2 points 9 months ago (1 children)

Still trying to get people to sign their emails lol

[–] [email protected] 1 points 9 months ago (1 children)

I mean, part of it is PGP is the exact opposite of streamlined and you've got to be NSA levels of paranoid to bother with it.

[–] [email protected] 1 points 9 months ago (1 children)

It's automated in all mainstream email clients, you don't even have to think about it if a contact has it set up

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago) (1 children)

if a contact has it set up

Well, there's your problem.

The most commonly-used mail client in the world is the Gmail web client which does not support it. Uploading your PGP key to Gmail and having them store it server-side for use in a webmail client is obviously problematic from a security standpoint. Number 2 I would guess is Outlook, which appears also not to support it. For most people, I don't think they understand the value of cryptographically signing emails and going through the hassle of generating and publishing their PGP keys, especially since Windows has no built-in easy application for generating and managing such keys.

There's also the case that for most people, signing their emails provides absolutely no immediate benefit to them.

[–] [email protected] 1 points 9 months ago (1 children)

Plus that's email. What about... Literally everything else?

[–] [email protected] 1 points 9 months ago

Yeah, almost nothing has good PGP integration.

Except Git, apparently.

[–] [email protected] 2 points 9 months ago (1 children)

The average Joe won't know what any of what you just said means. Hell, the Joe in the OP doesn't know what any of you just said means. There's no way (IMO) of simultaneously creating a cryptographic assurance and having it be accessible to the layman.

[–] [email protected] 1 points 9 months ago (1 children)

There is, but only if you can implement a layer of abstraction and get them to trust that layer of abstraction.

Few laymen understand why Bitcoin is secure. They just trust that their wallet software works and because they were told by smarter people that it is secure.

Few laymen understand why TLS is secure. They just trust that their browser tells them it is secure.

Few laymen understand why biometric authentication on their phone apps is secure. They just trust that their device tells them it is secure.

[–] [email protected] 3 points 9 months ago

Each of those perfectly illustrates the problem with adding in a layer of abstraction though:

Bitcoin is a perfect example of the problem. Since almost nobody understands how it works, they keep their coins in an exchange instead of a wallet and have completely defeated the point of cryptocurrency in the first place by reintroducing blind trust into the system.

Similarly, the TLS ecosystem is problematic. Because even though it is theoretically supposed to verify the identity of the other party, most people aren't savvy enough to check the name on the cert and instead just trust that if their browser doesn't warn them, they must be okay. Blind trust one again is introduced alongside the necessary abstraction layers needed to make cryptography palatable to the masses.

Lastly, people have put so much trust in the face scanning biometrics to wake their phone that they don't realize they may have given their face to a facial recognition company who will use it to help bring about the cyberpunk dystopia that we are all moving toward.