PhotoSec

#1 - Fingerprints
A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have – email, messages, social page, banks… everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

#2 Reflections
You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.
I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.
#3 Background details
Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower… generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?


Giving away a pre-marriage pregnancy (Photo Credit)
Visible password? That's embarrassing. (Photo Credit)
JK Rowling's profile photo showed an apparent black mold infestation
A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.


#4 Location

Trigger Warning: Stalking, Assault

Hibiki Sato was one of many fans of pop-idol Ena Matsuoka, but he was obssessed. He studied her online photos to find her. Which way did the sun fall in the window of her apartment? What kind of window-dressings did she use? What features were visible outside?

He finally got his chance when he noticed, in a high-resolution selfie she took on her commute home, a sign for a train station in the reflection of her eye. It was enough for him to stake-out the station, wait until she showed, then follow her home. She survived, but some aren't so lucky.

Idol hunted from an eyeball reflection

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession – a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took.

Trigger warning: dark possibilities But if you post while on vacation and thieves can see you're not home (and can check older photos for the location of your home). Or your stalker noticed you posted about being home alone for the evening (along with the exactly location where to find you). Or you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive and now they know where to go to take out their frustrations…

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location – and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!
I'm scared. Now what?

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

  1. Crop – Easy – just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
  2. Shrink – There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
  3. Disable Geotagging – I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
  4. Meta stripping tools/apps – These remove META DATA – the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
  5. Screencap hack – On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
  6. Caution and diligence – Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.
Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.
Tags: , , , , , ,

PhotoSec – 4 Things You Should Always Check For Before Uploading Photos

#1 - Fingerprints
A lovely glass heart and also fingerprints!

It's wild how often I find copies of peoples' fingerprints online. Someone selling a coin or button. A farmer showing off a growing berry. Or this artistic photo of a glass heart.

But what's the risk? Would people frame you for crimes with your fingerprint? Probably not. But what about unlocking your phone or laptop? With phone/computer access, it becomes trivial to get into every account you have - email, messages, social page, banks... everything.

Of course, they'd have to be able to translate an online photo into something that can defeat print scanners, but that only requires a 3D printer (or Gummi Bear candies in a pinch)

Are you dating someone really paranoid? Do you have a pissed-off 'ex' who might get access to your phone? Could your family use your phone to get access to your bank accounts and credit? Maybe, maybe not. What is certain is that it's hard to abuse someone's prints when you don't have them.

Whenever you're taking a picture of something in your palm, it's worth taking a second to make sure your fingertips aren't in the shot!

#2 Reflections
You'd be surprised how frequently people post themselves semi-nude because they didn't check reflections.

Long ago, I checked a work trading board for some furniture and found a decent hutch for a good price. Because I'd learned to scan reflections, I noticed that the woman who sold it to me was in her underwear when she took the photo.

Of course I never said anything (I didn't want to embarrass her), but I have told several thousand people since then!

People are constantly putting themselves in compromising positions by not checking reflections. Like the guy I found on LinkedIn who posted a "motivational talk" while apparently in the passenger seat of a car. Except, if you looked at the reflection in his sunglasses, you could clearly see him holding the wheel with one hand, and the phone in the other.

If I was someone who knew him and didn't like him, I could easily post that to the church board, send it to his family, or share it with the police. It wouldn't be the first time something like that happened:

This is a famous example that I've used for years teaching OPSEC.
I have no sympathy for people who film while driving, but what about people who's various states of undress or nearby toys and medicines might not be things they want people to see? Check your reflections, people.
#3 Background details
Hint, check the upper-right

The things people forget to check for in the background can occasionally be hilarious. A selfie where the dog is pooping or drinking out of the toilet or maybe your poor friend who's still in the shower... generally there's no harm done.

But what if you have private medical information visible? Passwords or security information? House keys that can be easily copied (even in a photo at an angle or from up to 200 feet away)? Concerning evidence of hoarding, filth, or other mental care concerns?


Giving away a pre-marriage pregnancy (Photo Credit)
Visible password? That's embarrassing. (Photo Credit)
JK Rowling's profile photo showed an apparent black mold infestation
A key where you can see the ridges can be copied. (Photo Credit)

It gets worse; what if the details people find in your background lead to more serious consequences? This is a scary world where people are judged, ostracized, attacked, or killed for:

Trigger warnings: abuse, violence

Keeping yourself and others safe means checking the background. What do you see? Are you "outing" yourself? Someone else? Are you giving away more than you realized? Will the visible details put you or anyone else at extra risk? Check every time before you upload.


#4 Location

Trigger Warning: Stalking, Assault

Hibiki Sato was one of many fans of pop-idol Ena Matsuoka, but he was obssessed. He studied her online photos to find her. Which way did the sun fall in the window of her apartment? What kind of window-dressings did she use? What features were visible outside?

He finally got his chance when he noticed, in a high-resolution selfie she took on her commute home, a sign for a train station in the reflection of her eye. It was enough for him to stake-out the station, wait until she showed, then follow her home. She survived, but some aren't so lucky.

Idol hunted from an eyeball reflection

Sometimes the only thing that stops evil people from acting is not knowing where to find the target of their obsession (or A target of their obsession - a.k.a., a target of opportunity). But what good is caution about reflections and details if the photo itself blabs about your exact location?

Do you notice the 'Show settings' link over there on the right? Try clicking it. What happens?

In this very nice selfie that I found on Flickr, you might notice location information on the right; something often seen on photos uploaded to Flicker or Google or Facebook or whatever. It's not that people are taking the trouble to tag their location; the phone does it for them.

The phone records all the settings for the photo, but also other details it has access to. Maybe your name and sometimes your exact location.

Maybe if you're hiking and want to remember exactly where you saw that cool blue lizard, geo-tagged photos are helpful. If you go missing, the search party might find your last known location by the last cloud-uploaded photo you took.

Trigger warning: dark possibilities But if you post while on vacation and thieves can see you're not home (and can check older photos for the location of your home). Or your stalker noticed you posted about being home alone for the evening (along with the exactly location where to find you). Or you're a battered spouse on the run whose safety depends on not being found. Or if someone simply finds your lifestyle/religion offensive and now they know where to go to take out their frustrations...

Often people are safe because finding and harming people is hard, but "helpful" technology trivialize it to the point that the risk becomes higher simply because it's "easy". Especially now that AI tools that help analyze photos for location indicators are becoming more and more proficient.

For example, here's a test I did with GeoSpy.ai

It got it within about 18 miles

Using only a Google Streetview picture at random from the Seattle area, it was able to narrow it to about 18 miles of the actual location - and that's just one photo. What if I had 10 or 100? Some people are very prolific posters and every photo gives bad guys more to work with.

Watch your timing! If you're at a restaurant and taking a picture of your food, if you upload it immediately, people will know where you are for the next 20 to 30 minutes. Maybe post later or the next day instead!
I'm scared. Now what?

It's easy to say "be careful" without offering any specific advice for actually doing so. But anything that's complicated or takes a lot of effort isn't something we'd actually do in practice. With that in mind, here are some simple tips for improving your risk posture:

  1. Crop - Easy - just remove the parts of the photo that have any problematic content. Sure, you can meticulously go through the visible papers on your home office desk; you can check with everyone in the photo at the party before posting. OR, you could just crop out that stuff instead.
  2. Shrink - There's rarely a time when it makes sense to upload a giant 20 megapixel photo directly to a social site. Why not shrink it by half or more? Even a photo only 1000 or 1500 pixels wide is plenty large for online sharing while making it next to impossible to see fine details like what's in the reflection of someone's eyes.
  3. Disable Geotagging - I mentioned there are some legitimate reasons to geo-tag, but those don't apply to almost anyone. If you want them there for something specific, so be it, but unless that applies to you, disable the "feature" and eliminate the risk entirely.
  4. Meta stripping tools/apps - These remove META DATA - the geo-tags, your name, and all that other information that I showed you before. All of it is dumped and gone. I don't have any recommendations because I don't upload near enough to use one of these, but if you're prolific, you might want to "clean" tons of photos all at once and then not worry about it.
  5. Screencap hack - On a computer, view the photo at about the size you'd want to see it online, then press WIN+SHIFT+S. This is a quick-capture shortcut that lets you snag a portion of your screen which is auto-saved in your screenshots folder. Then you can upload that screen capture which will be drastically size-reduced (but still large enough and have ZERO meta data attached).
  6. Caution and diligence - Check backgrounds, zoom in, check reflections, scour each photo carefully for anything that someone might be able to learn. Make sure you don't have any unique and identifiable features near by like street signs or addresses. If you find something or can't tell for sure, maybe reconsider posting.
Keep in mind this is all about risk. If you're not worried, so be it, but if you're at high risk because of your lifestyle, activism, have some measure of notoriety, or have been directly threatened or bullied, the key is to make sure you don't hand your enemies the weapons they use to bludgeon you with. Be smart, be safe.
Tags: , , , , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

seminar destroy Tutorial
|INDEX|next: The Consequences of Posting Online
Online Addiction: From gambling to surfing and online gaming, people can destroy themselves and others with online addiction.
Posting Online: The Internet never forgets anything completely. Make sure you don't make mistakes that will stick with you for the rest of your life.
Protecting Photos: The Internet never forgets anything completely. Make sure you don't make mistakes that will stick with you for the rest of your life.
Getting Tricked: You WERE doing fine... until someone convinced you to install a virus or give away your passwords. Don't fall for it!
Account Hijacking: One of the most common security risks today is people getting their accounts taken over and then used to trick their friends and family.
Trusting Webservices: An online service promises they'll 'Never abuse or misuse your data' and you believe them? Think again.

... or check out any of my other guides and tutorials by clicking here!

Online Addiction

Concerned about online addiction? You should be. Learn the types, the signs, and the preventions.

[Click for full description]

The Consequences of Posting Online

It's fun to post online. What you think, what you feel. But words typed and posted on the Internet can come back to bite you more than anything you could say with your mouth.

[Click for full description]

Photo Safety

You can reveal far more than you intended when you post a photo online. Don't make a critical mistake and check your photos before they're online.

[Click for full description]

Tricks and Scams

Just because you won't willing give up data doesn't mean that I can't trick you out of it. Don't fall for these well known tricks!

[Click for full description]

Account Hijacking

One of the newest threats we face is the risk of someone getting control of your online account and using it against you and the people you know. Do everything you can to prevent that from happening!

[Click for full description]

Trusting Companies

Store, online or off, are not known for being fair and helpful unless it benefits them to be so. Good deals exist, but many are bad deals in disguise. It's not in your best interests to be too trusting with any of them.

[Click for full description]