If this article doesn't make you sufficiently paranoid may I refer you to my all time favorite Underhanded C Contest, the leaky image redactor from 2008. The winning entry is just brilliant: it's simple, it works perfectly, does nothing tricky, but still allows near perfect recovery of redacted text.
Reminds me, lots of people take pictures of their driver's license or credit card or whatever using their smartphone and then use their smartphone's builtin image editing tool to make the credit card number (or whatever) invisible before uploading the image to whatever service they need it for.
Sounds innocent right? Well, depending on the paintbrush tool used (this affects both Apple and Android) the number will be fully or partially recoverable, because the paintbrush is slightly translucent. The user will repeatedly cover up the number using the same paintbrush tool until they can't see the number anymore, but if you load the result in any (real) image editor and turn up the contrast in that area, you'll see the numbers.
I can absolutely see this happening and it's absolutely, absolutely disgraceful that there is no dedicated, clearly marked redaction tool on iOS's image markup tool. I have only ever needed to use that markup for three things: to draw a circle around something, to draw an arrow pointing to something, or to redact something.
Users need a tool on the markup editor that they can select and unambiguously know that if they draw a big black rectangle over something, it is going to be replaced by solid #000000 pixels and anything underneath will be impossible to retrieve.
This reminds me of a similar story from Dr. Alex Wellerstein (historian of NUKEMAP fame). A Redditor he knew found some redacted nuclear weapons documents, and did the same trick, as the redactions were done with pieces of paper over the slides on a copier.
Funny, the guy who made the chipophone (Linus akesson) and other cool audio projects won 3rd place that year. His site was just on hn a week or two ago but I forget exactly what for
Because the code iterates per character, not per pixel.
If a pixel's value is '7' and in the redacted zone, the program will iterate over the single character and output '0'. If the pixel's value is actually '174', the program will iterate over all three characters, outputting '000'. Any normal PPM image viewer will display these identically, but high contrast areas like text will be recoverable.
Notably these formats are designed to be lossless and very simple to work with programmatically so they were used as the intermediate format in a lot of image processing workflows, even where the inputs and outputs are a more common format like JPG (which is extremely hard to manipulate directly).
I was one of the last judges of the competition. As far as I know Professor Craver just lost interest. Even the years I was involved I had to prod him to start the contest.
For those who are thinking "Yeah, duh, just use an image editor to crop it," as I did at first, this article is probably most useful for barely-tech-literate people, who can use Microsoft Word, Outlook, Edge, maybe Teams, and not much else. They wouldn't think that they'd need to open a whole separate image editor when Word has a cropping function built in that's always worked for them before.
Not foolproof, there have been instances when people have been cropping in an image-editor and failed to realize that the thumbnail hadn't been updated and leaked information.
If I need to ensure there's nothing on an image that wasn't supposed to be there, I just copy the visible pixels and paste it to a new document. No EXIF data, outdated thumbnails or anything.
Using a screenshot tool should be safe. It will treat all pixels on the screen the same, so it doesn't know that some pixels have metadata beyond what's visible on the screen.
> Using a screenshot tool should be safe. It will treat all pixels on the screen the same
Nope. Microsoft Office has an option/plugin that lets you flag emails and documents as restricted. You can, for example, send such an email to someone else. That person can open the email and use a screenshot tool on that email. What they will get is a flat gray box where the email content was.
Not all pixels on the screen are the same. And you have no idea if your computer tattled on you and let the sending org know that you tried to screenshot the email.
If you use Outlook to restrict an email and send that to me at a non-Microsoft-affiliated account (that I access from a non Microsoft OS), I have to imagine the restriction is worthless.
My child's school uses this feature when they email parents, you have to open the email up in a web browser and the web browser has to be allowed/supported by outlook web access to render. I haven't tried to screenshot it, but it's annoying as hell getting one of those emails on my iPhone.
My anecdote demonstrates that the operating system is clearly not treating all pixels the same, which is exactly what I wrote. And the screenshot tool participates in this.
This MS Office trick is a quick and easy way to show someone that you can’t trust Windows when it comes to screenshots. Ignore it at your own risk.
Well, if we talk about goverbment whistleblower programs I assume using a fax from a random location while travelling would be good enough to not be identified by your employer (or whom ever you blow whistle on).
If you do blow the whistel on the government, well, you better trust your journalist partner a lot. Or use a trustworthy lawyer as a go between.
But hey, one could send the fax back and forth, cut of the fax numbers and physically mail it from a very busy train station! And have a someone put the letter into the letterbox for you, someone you pay out of view of any CCTV cameras!
Don’t forget to pilfer newspapers from around the country and cut/glue letters from different fonts to compose the message and use homemade paper as the base layer.
"...failed to realize that the thumbnail hadn't been updated..."
Right, I'd never use part of the original image. Best print it out and rescan it, preferably on different scanner.
Being truly anonymous is enormously difficult, even the Bauer pattern/Bayer filter shape in one's image sensor will give one away. That alone requires sophisticated filtering to decouple it from a specific sensor/camera.
And that's only the beginning, there are many other factors that contribute to the leaking one's identity.
I'm aware of that, hence my comment about the many other issues that have to be considered in decoupling information from hardware.
1. First, most whistleblowing comes from B&W documents so color isn't an issue. If it is the case then there are alternative solutions which I'll not persue here in any detail (the post would be very long).
2. Printing then rescanning can decouple the camera to some extent as physical distortions are introduced by (a) the geometry of the inkjet nozzles or laser subsystem, (b) more geometric distortion is added by changes in paper size as its fused/dried, (c) additional distortion is added by the optics of the rescanning system, same goes for any further printing and so on. Also, each stage alters the gamma and adds other non linearities to the transfer.
3. Reducing the scanning resolution will add additional distortions, blurring is to be encouraged but not to the point of illegibility. (Doing a low resolution copy on a FAX machine with time/date/headers/footers turned off could help.)
4. This may sufficiently decouple the camera but it won't decouple the copying/scanning/rescanning equipment. Best do this on machines that are located well away from the source so they're not easily traceable or associated with you or your work.
5. Copying documents across multiple different photocopiers will help as they all add optical and other geometric distortions and transfer—gamma-type—errors. Deliberately lightening and darkening the image at each stage will further increase distortions. The combined distortions will make it very difficult (but not impossible) to reverse engineer the path back to the source. Have you ever wondered why the quality of the printed type in copies of evidence, FOIs, official documents etc. often looks so daggy and blurred as to be almost illegible?
6. The idea is to add as much distortion and blurring in the chain of copies as is possible and yet still keep the final copy legible/identifiable. It's a fine balance.
7. That still does not guarantee anonymity. Sensitive documents are often 'doctored' so that each recipient receives a subtlety different copy, spacing between words may change so may the page layout, also small seemingly insignificant and barely obvious 'marks' on the page will differ between copies thus identifying each recipient. None of the camera techniques above will overcome this problem.
8. One technique is to retype the document so that it is almost identical in both looks and content but with lots of subtle changes in both layout and wording—but NOT to the extent of changing the document's meaning. Same goes for modifying images (a complex matter). As a last resort this could give you a degree of plausible deniability in cases where marked documents are issued. If you do this it would be very advisable to spirit away actual copies of the originals in a truly safe location—you may really need them one day (after you're accused of, say, forgery). I'd suggest you only go down this path if you are very competent and the stakes are very high.
9. None of what I've said should be taken lightly. No matter how hard you try to decouple yourself totally from the source (or from any involvement) it is nigh on impossible to hide from formidable and sophisticated forensics if applied relentlessly.
10. Moreover, whistleblowers, more often than not, end up being reveilled by fellow workers and usually without a job or decent reemployment prospects. Unfortunately, our culture hasn't embraced whistleblowers and whistleblowing as it should. It's a very risky business. Take the case of whistleblower Daniel Ellsberg and the Pentagon Papers; his effort wasn't rewarded as we ought to expect and he nearly ended up being locked up.
Moreover, at one point Ellsberg wistfully noted that reaction by the American public to his efforts wasn't very favorable. When it comes to whistleblowing it seems not much has improved in the last five decades.
_
Edit: FYI, there are many excellent videos on Daniel Ellsberg and whistleblowing on YouTube.
That sounds a lot more complicated than making a screenshot, which also discards all metadata that might lurk in the original image and won't introduce hardware-specific patterns. Some screenshot tools are really simple to a point you can actually check what they're doing.
But if I ever learned anything about that area it's that there's probably still five other details I haven't considered.
i just screenshot images. that way it'll lose any metadata. any parts outside of my screenshotted area can't be included... and i think the black rectangles are genuinely black in sharex...
I think this is a little unfair. I would not blame anyone for thinking that the part of the image they cropped is deleted. That's what the word means, that's what it looks like is happening, there's usually no warning that it's recoverable.
When you delete text it is really gone from the document, even though you can undo to get it back. It's totally reasonable to expect images to work the same way.
OP isn't saying the person is barely tech literate because they didn't expect the image to be restorable, but that they're likely barely tech literate because they were using a word processor as an image editor.
Abusing Microsoft Office applications to do things they're not designed to do has sort of a bathtub curve of likelihood versus tech literacy. The people most likely to do it are either largely tech illiterate or skilled hackers with far too much time on their hands.
Again, it's not for 99% of people who have just cropped out the expanse of the sky to focus on the sunflower, it's for journalists and whistleblowers who normally be not familiar with the pitfalls of the technology that they're using. That's it, no-one is forcing you to use the built-in cropping tool if you don't care that someone might see what the whole picture is but it is a valuable information for someone blowing the whistle in cases like child abuses at certain subcontractors of a well-known car factory.
Kevin in accounting might be making a document for work and might take a screenshot of his entire desktop to put in an onboarding document, intending to crop it. He could have a password in Notepad off to the side
What I had in mind when I was writing that was a story I once read of a user who did all of her computer interactions through Word (i.e. all of her emails were empty with a Word document attachment containing the text, among a few other amusing anecdotes). But yeah, the characterization is a bit unfair from that perspective.
I know a few people personally who mainly used Word (and increasingly also web browsers) when working on computers, and it's sometimes obvious they view everything a computer does through that lens. For some people only used to Windows even appstores are a foreign concept, a relative's first impulse when trying to install a phone app is to open the phone's web browser and do a Google search.
Those are things many recent UI "improvements" haven't considered.
It really would benefit most people to learn to use (Windows) Snipping Tool or (Mac) cmd-shift-4 to crop an image that is currently displayed on their screen; that would create a new image altogether (cropped screenshot). It's truly even easier to use than whatever Gsuite or Office alternatives they would otherwise use, once you know of their existence.
My significant other is outside of tech and wasn't aware of either of these. Once shown, there was no reason to go back to using anything else to crop images.
saving a screenshot as JPG (lossy format) adds more loss - if you started with a lossy image in the first place then we are losing even more information by screenshotting it and saving it again in a lossy format.
even when not intended for print, when making formal documents and presentations I look for the original images at highest resolution available.
Mac OS' preinstalled screenshot tool saves in PNG, same with Android screenshots. Not sure about Windows' Snipping Tool but it would surprise me if it was different there.
I sometimes get smartphone photos of computer screens sent to me by friends. It makes me cringe every time, but now I'm thinking maybe they're onto something.
While I doubt they are meaning it as such, it's not far off from the technique of physically redacting a printout and then scanning that as duotone so there was never, ever a digital path between the original and the resulting digital copy.
I think it’s usually done because copying a file from a computer to a smartphone universally is still a pain in 2023
- Bluetooth file transfer… I don’t even know where to begin
- AirDrop requires you to be in the Apple ecosystem. I think default settings also require you to be logged in the same Apple account on both devices too
- Cloud storage services need you to install the app or login into the website on both your phone and the computer with the same account. Very few of my non-tech friends even have any cloud storage service outside what their phone uses
I think I would do this by default because I'm so ignorant/incompetent with the fancier tools that I'd never think to look for a cropper. I'm the cretin that says, "Oh I can do this in MS Paint!" and even spends a 1/2 hour remembering how to do that much...
Except when we're talking mobile apps. Samsung apps have a penchant for producing... enriched files in common formats.
For example, "motion photo" feature I used few years ago would give you perfectly normal JPG file that also happened to store a short video. Nothing I know other than Samsung phones can read the video part directly, though there exists desktop software that can extract it and save as separate video file.
More recently, I've noticed photo editor tools on Samsung phones allow you to undo previously made edits on an already saved file, including any destructive crops and transforms - meaning the original is being persisted somewhere. I haven't checked where, but I imagine it's again attached to the back of the JPG you thought you've cropped/redacted.
Somewhat related: PlantUML. It's a tool for generating diagrams from plaintext descriptions. One of its most interesting, if not well-known, features is that it saves "editable PNGs" by default - that is, PNGs it produces have the plaintext diagram code attached to the image as metadata. Seems mostly harmless, but it could technically leak information you put in the diagram code but made not visible in the image.
Something to keep in mind when accusing people of overreacting to "minor" data leaks, such as a little extra metadata here, some telemetry there... they add up. And one day, you might have to do something actually important, and there will be all these little landmines lying around.
We need a return to WYSIWYG principles. Any metadata stored in a file should be shown to the user in some way, to make them aware of that metadata existing. And if the metadata is incomprehensible to the user, then maybe it shouldn't be stored at all. There shouldn't be any surprises. If a file has an embedded thumbnail preview of itself which could become out of sync with the main image data, both should be shown to the user so they have an opportunity to notice it.
That's a bit of a weird use of WYSIWYG, which is usually used to mean that you can't see the metadata. For example, imagine you're editing a WYSIWYG document and enter:
A
Ctrl+I
Enter
Ctrl+I
B
This will look like:
A
B
If you later start typing on that intermediate line, though, your text will be in italics. This is what users expect, and is in contrast to outting a little "italics" markup symbol on the line, as people did pre-WYSIWYG or do today in Markdown, HTML, and other markup languages.
A random example I realized the other day: your Android phone has a record of exactly what app was active at what time. Even if you delete both the app and whatever documents you were working on, the log of you using it still persists. And that bit is user-accessible in the UI (at least on modern Android) - system logs probably have much more.
And then, the app use information is also independently stored on your Google account. For your convenience. So even if you flush your phone down the toilet and get a new one, the information remains. Even if you wipe your Google account, organizations with enough pull (e.g. governments) could get at it.
And don't get me started on battery level / charging status or what WiFi networks were seen when.
VINs are by design very visible on cars? You could get the same information by just going to the lot...
Though the overall lesson of the story is good: analog redactions with a permanent market and a b&w photocopier are recommended for anybody without 100% confidence in their tools.
Or better yet, an exacto blade. If the "black and white" photocopier is actually grayscale, then you could get text leaking through the marker if you play around with the image contrast.
Not sure I would rely on that, but Xerox's docs state that the requirement was introduced as an anti-counterfeit measure by some governments. Counterfeiting currency probably wouldn't be a concern with B&W printers.
Most banknotes are not printed on ordinary paper, but it doesn't stop people from trying. Printers which produce those dots will also usually refuse to print high-resolution pictures of dollar bills.
>Cars for example, now you must know that in Europe for some reason people are very weary of their VIN.
Quite a lot of cars in Europe, including from European marquees, have the VIN in a visible place at the bottom of the windshield.
I can also look up the VIN for pretty much any car on the road by just searching the number plate on the traffic authority's website. Gives me the VIN, last inspection date, tyre sizes, tax info, etc.
Anecdote: I experienced this first-hand with Facebook actually, in 2017. I tried to crop a screenshot, and then post the cropped image in a FB Messenger group chat. FB Messenger defaulted back to the full screenshot image. I decided to no longer use FB after this.
Also, all TikTok videos are restored to their original form and archived, by TikTok, both in the US and China. All those "blurry" nudes, "a day in the life at the office", and more, belong to TikTok. Along with all that metadata. TikTok you don't stop!
Use a separate digital camera and JPG rescale/compress the hell out of it after the fact. Screen grabs are convenient, but not sufficiently lossy, and can leak information.
If you're feeling rough, run the screencap through an OCR and a spell checker first before taking an off axis picture in Times New Roman.
I wouldn't even trust that blindly, I totally imagine that there could be metadata in the screenshot containing for example the title of the window being screenshotted etc.
If noone does that right now it is just an update away.
i think if you export to a bitmap then you at least have a fighting chance. The bitmap format is simple enough that you could probably use a hex editor to read the header segment and be reasonably sure you understand what is tagging along with the file.
A very simple and easy way to pretty much guarantee an image doesn’t contain unnecessary metadata, can’t be uncropped, etc. is to first convert it to JPEG and then run it through an image optimizer (like ImageOptim [1]). Don’t use cloud software for any of this — do it all locally.
Btw, you don't actually want to use a lossy image container in the modification steps if you don't want to leak any data.
JPEG has ways of extracting data that was either cropped out or written over, by how the compression is performed over the parts of/whole image. Compression artifacts can and will propagate data that you are not fully aware of.
PNG is a safer bet for screenshot content for the middle steps.
Only the final image should be compressed using a lossy image compressor as then any details can't be diffused to the image if they simply aren't there.
I just checked the PNGs created by the Windows screenshot tool (win+shift+s). There was no obvious metadata inside. If there is something, it is not easy to find.
Snipping tool + recompression + conversion is usually enough to get the job done. That's what I do when I put public screenshots up that I care about redacting or protecting.
I'm just a nobody, but I wouldn't trust the Intercept on OPSEC advice. From a purely technical point, they did fail to protect their sources when they exposed Reality Winner to the US government.
There's a second possibility, though: that after having screwed up this badly they are now doing their best to protect future sources.
Or as Thomas J. Watson put it: "Recently, I was asked if I was going to fire an employee who made a mistake that cost the company $600,000. No, I replied, I just spent $600,000 training him. Why would I want somebody to hire his experience?"
...and the 1970's (first I heard it, IIR) comeback:
Don't fire him, and you've paid $600,000 to train just him. Fire him, and you've paid $600,000 to train everybody else at the company. Which one is the better value?
I would not pay $600k to teach everyone at the company that if they make a mistake I will fire them to set an example. If that was my position, it's a lot cheaper just to walk around threatening people and making them feel paranoid every day at work. But I think it's a bad position to take. So I'd probably keep the one guy who is never going to make that mistake again around, and fix whatever system allowed the mistake to happen in the first place.
That was an intentional failure to protect, because Reality Winner's biography was important for the story that much of the US government was trying to sell.
However don't trust... tools can't help but be good advice. There's no need to trust the Intercept on metadata existing.
This reminds me of something similar from the guy who implemented AVIF in Firefox. He gives a talk about the implementation [1] where he talks about the CLAP privacy problem. Basically the spec adds a field that allows for cropping of the image, but the binary file would still contain the original. This would lead users to believe some image data was deleted when it really wasn't. I always thought he spent a lot of time and effort to restrict clap for little gain, but now I'm starting to think it was worth his effort.
If you’re whistleblowing you should probably convert all your pages to images first and then create a PDF out of those images. If you convert to b&t images (1 bit) the risk of watermarking with some colored dots in images may be reduced.
But there is probably still a lot of watermarking that could leak through.
> [. . .] convert all your pages to images first and then create a PDF out of those images.
PDF’s are risky business. So much metadata can be hidden in a PDF depending on how it was generated. Stick to optimized JPEG’s (as I suggested in another comment [1]).
For clean PDFs you would need a dedicated tool. I wouldn't trust PDFs that were created by any standard office software (Word, Acrobat, ...). There is always the risk some information about your computer, user name, time zone, location or maybe even license key/hash of the software may leak into the created document.
Reminds me of the BTK serial killer Dennis Rader who got caught because of leaked metadata in a Word document.
> Police found metadata embedded in a deleted Microsoft Word document that was, unknown to Rader, still stored on the floppy disk. The metadata contained the words "Christ Lutheran Church", and the document was marked as last modified by "Dennis". An Internet search determined that a "Dennis Rader" was president of the church council.[1]
My frustration for a decade is that I don't know any handy image editing tools on smartphone for simple editing like trim, resize, paint, add text, rectangle filling/blur. There are many photo editing tools for who love Instagram, but it's not what I want. I have both Android and iOS but still I don't know. Anyone could recommend? I love paint.net on Windows.
Note that I've seen it halve the resolution of large images imported, but I don't know if it always does that or never (and I was mistaken), and I couldn't find a switch to turn off downsizing.
For many years I have used SnagIt for cropping photos and documents. It has excellent features for marking up the resulting images too. It is very useful for customizing something for insertion in a Powerpoint slide. I do hate the nag screen poking me to upgrade from version 8 though. Fortunately it is a two click operation that has become muscle memory to me now.
The wisdom that you should never enter anything sensitive into a rich document editor is older than the internet.
I remember lots of people getting busted after news spread that Word 97 kept the complete undo-history within the doc-file itself. Leaking a lot of redacted hate-mails and plagiarized then edited home assignments.
Does anybody remember the famous incident with the TechTV host Cat Schwartz, who took a topless photo, and then cropped it to just her eyes and posted it on her blog? And then a fan told her "btw, the original photos contained a thumbnail version in the exif data, and photoshop did not update or remove that." So you really could do that gag from Red Dwarf where they "uncrop" a photo.
I didn't use Word in years now, but I remember that there was an option for reducing image size. That option would remove cropped part. I've just searched for help and this is what I've found https://support.microsoft.com/en-us/office/reduce-the-file-s...
This is why sensitive screenshots should always be edited and saved in something like MS Paint. This way you see everything and minimal metadata. no surprises. Fancy editing tools always have hidden stuff. Text should be redacted by blacking it out, not blurring, which can also be reconstructed.
It pains me that the easy crop handles in mspaint seem to have gone away in win11. I don't have a win11 machine in front of me but I'm thinking there is now a tool to accomplish simple crop in the new and "improved" mspaint?
I find the "snip and sketch" tool handy. If you push the "windows + shift + s" keys it lets you draw a box around what you want a "snip" of. Then you'll get a notification you can click on that will bring up basic editing tools, including image crop.
I have started using snip and sketch but it occupies a different part of my work flow. Generally with paint I'm editing something existing and I don't think of S&S for that.
That's exactly how old paint worked. Ctrl-a for select all and place things so that the top & left is where you want it and then you can grab the handle to do the bottom & right. Always done it that way.
I'll look for the crop button in paint 11, don't think I've noticed it yet.
Sadly looks like win 10 does hit EOL before I retire so I've got one more generation to deal with before I slip away to linux and mac.
http://www.underhanded-c.org/_page_id_17.html