undefined | Better HN

0 pointssimondotau4y ago0 comments

That's a lot of words to say that you could sufficiently mangle an image that it could pass through all of Apple's algorithmic hurdles while not actually being CSAM. Of that I have no doubt. You could definitely generate a mangled image that fools multiple perceptual hash algorithms.

Let's set aside the questions of where you got all these hashes to generate collisions with, how you got 30 of these mangled images into your victim's camera roll without them noticing. And let's also set aside whether your victim's device is an iPhone with iCloud Photo Library enabled (and has sufficient storage). I still don't get what these mangled images have achieved, other than giving the manual review team something other than child porn to look at.

Seems to me like it'd be easier to just find actual child porn, print it out, place it somewhere in the victim's house and then report it to the police.

0 comments

dTal4y ago

I think you missed the point of the first paragraph. The point is that you can now hide child porn by making its hash collide with innocent images. They won't ever make it to manual review. Ergo, NeuralHash is now useless.

simondotauOP4y ago

Why would anyone go to the effort of technical concealment[1] of CSAM when they could just resist the urge to import child porn in their phone's photo library in the first place? I've managed to resist the urge to import regular porn into my photo library, and being caught with regular porn is (at most) embarrassing. It's not potentially life-destroying.

It's inconceivable that anyone could desire possession of NCMEC-catalogued CSAM images without being aware that they're risking serious consequences if they're caught. Who wants their deepest, darkest, potentially life-ruining secrets just milling about with photos of the dog and last night's dinner?

[1] ...which is all but impossible for an average user to prove was effective; it's not like the Photos app has a "Not Child Porn!" checkmark.

laszlokorte4y ago

I agree with you in that I do not understand why anybody doing something illegal would upload related data to a cloud storage.

But if nobody would import CSAM into their icloud library why do all the pictures need to be scanned in the first place? I would imagine anybody doing major illegal stuff being informed about important measures in order to not be caught.

1 more reply

FabHK4y ago

So, the presumed attack (not against individuals, but to defeat the system) is

1. Identify some innocuous pictures that many many people have (memes, Beyoncé, whatever).

2. Produce CSAM.

3. Mangle it such that it is still CSAM visually, but NeuralHash-collides with the innocuous pictures from step 1.

4. Distribute.

5. Wait until they are (via some other mechanism) a) identified as CSAM, b) added to the NCMEC database, c) added to the Apple on-device database of blinded hashes in some iOS update.

6. Millions of people are suddenly incorrectly flagged for exceeding the threshold by NeuralHash (since they have the innocuous pictures in their library), and the review teams are flooded and can't pick out the small number of actual CSAM holders.

That is not without a certain elegance. However, it seems to me that

A) it is predicated on the assumption that you can easily mangle pictures to NeuralHash-collide with a desired target picture (out of a set of widely circulating innocuous pictures) without deteriorating the visual content too much.

B) it would be quickly defeated by amending the 2nd tier algorithm (between NeuralHash and human review), though, as you highlight, that might be tricky given that the team working on this presumably only has access to the innocuous false positive collision image, not the (purposefully mangled) CSAM.

saithound4y ago

> A) it is predicated on the assumption that you can easily mangle pictures to NeuralHash-collide with a desired target picture (out of a set of widely circulating innocuous pictures) without deteriorating the visual content too much.

Note that this requires no single "desired" target picture. There are millions of popular, innocuous pictures. As long as you can make your CSAM match any one of them without significant mangling, you're good to go. Not having to choose one specific target makes this much easier to accomplish.

nullc4y ago

> it is predicated on the assumption that you can easily mangle pictures to NeuralHash-collide with a desired target picture (out of a set of widely circulating innocuous pictures) without deteriorating the visual content too much.

You can. Here is an example I created (with links to more): https://github.com/AsuharietYgvar/AppleNeuralHash2ONNX/issue...

I'm so tired of people suggesting that you can't. Please explain to me why you posted suggesting otherwise.

I've contemplated making some that are also photodna matches, I expect that it's possible. But access to photodna is only through some awful windows tools, and AFAICT people would just keep posting denials even after an example was posted-- so it's not worth the effort at least not worth it just to further the public discussion.

1 more reply

SiempreViernes4y ago

There's also the _very_ important assumption that Apple doesn't check for collisions with popular images before adding new things to the database.

j / k navigate · click thread line to collapse

0 comments

dTal4y ago

simondotauOP4y ago

[1] ...which is all but impossible for an average user to prove was effective; it's not like the Photos app has a "Not Child Porn!" checkmark.

laszlokorte4y ago

I agree with you in that I do not understand why anybody doing something illegal would upload related data to a cloud storage.

1 more reply

FabHK4y ago

So, the presumed attack (not against individuals, but to defeat the system) is

1. Identify some innocuous pictures that many many people have (memes, Beyoncé, whatever).

2. Produce CSAM.

3. Mangle it such that it is still CSAM visually, but NeuralHash-collides with the innocuous pictures from step 1.

4. Distribute.

5. Wait until they are (via some other mechanism) a) identified as CSAM, b) added to the NCMEC database, c) added to the Apple on-device database of blinded hashes in some iOS update.

That is not without a certain elegance. However, it seems to me that

saithound4y ago

nullc4y ago

You can. Here is an example I created (with links to more): https://github.com/AsuharietYgvar/AppleNeuralHash2ONNX/issue...

I'm so tired of people suggesting that you can't. Please explain to me why you posted suggesting otherwise.

1 more reply

SiempreViernes4y ago

There's also the _very_ important assumption that Apple doesn't check for collisions with popular images before adding new things to the database.

j / k navigate · click thread line to collapse