I like this, if we can fool humans with VR goggles then surely we can fool the camera by using a sufficiently detailed print or a high resolution display
What in that makes you think there are no aliasing artifacts? Yes, you can take a movie of a movie, and you introduce artifacts that simple frequency analysis will find. There's no reason ILM would even try to remove this for such an application - they simply want pretty visuals, not mathematically indistinguishable from reality digital compositing.
Take a photo. It's not a grid of values. You already screwed with high frequency components. Take a photo of that - you changed these again. It's not hard to detect this. There's an entire field for detecting forensically altered things, and no current tech goes undetected, certainly not stuff simply made for movies.
Or provide some link, paper, or serious scientific claim that ILM has magically removed all aliasing from images, which would, well, simply violate physics. What they actually do is try to move aliasing to less visible portions of a frequency spectrum - but those signals are still there and detectable.
Aliasing can be eliminated by low-pass filtering (blurring) the input signal before sampling it. This could be done by keeping the background even slightly out of focus, or coating the display.
Unless it's traded away for performance (or style choice), you are experiencing alias-free sound and image processing all day long.
>Aliasing can be eliminated by low-pass filtering (blurring) the input signal before sampling it.
Nope. I have a PhD in math, and have been doing filtering stuff for decades. You do not eliminate aliasing, you push the error out of the visible spectrum - end of story.
The naive, physically impossible undergrad textbooks might say differently, just like they'd teach Newton as gravity and ignore relativity, or teach the ideal gas law and ignore that real gasses are vastly more complex in behavior.
This is Wikipedia level knowledge: from the low-pass filter page [1]:
"However, the ideal filter is impossible to realize without also having signals of infinite extent in time, and so generally needs to be approximated for real ongoing signals, because the sinc function's support region extends to all past and future times."
So no ideal filter, sorry. That means leakage, which happens in every part of engineering (and is forced by physics, despite you not wanting to believe it). Ideal filters are math, not physics.
And this level is vastly below what is done in industry, what theory (and physics) forces onto real world filtering.
Once you discretize the signal, even after filtering, you have introduce lots of noise in lots of frequency ranges. The simple reason is that you are forced to perturb real sample values (which would require infinitely precise measurements) to the discrete ones your sensor records. These perturbations do not fit your frequency requirements. Don't believe it? Take a photo, apply your "ideal" low pass filter, then fit the resulting image using sin and cos waves of frequency no higher than than your filter - and you'll see it's impossible. You can only approximate it - and that is empirical proof you can do at home.
Another entire level that undergrad level understandings miss is that pretty much zero of the theorems you think apply actually do - because pretty much every one uses infinite precision samples (Nyquist, for example), infinite support reconstruction (physically impossible), and so on. In practice all of these things leave noise in various parts of frequency spectrums.
So, still want to argue that filters would somehow remove aliasing issues? Especially over a sensor with the number of samples and precision that a modern Sony sensor has?
>you are experiencing alias-free sound and image processing all day long
You are confusing Nyquist with reality - and ignoring that Nyquist doesn't even apply to audio (or video) - it's only an approximation to what is really happening. As an approximation it's useful, but the requirements of the theorem are not met in reality and the reconstruction is not met in reality.
Don't believe me? Go look at the proof for the Nyquist theorem, and pay attention to all the requirements that no physical device can meet. it's the frictionless spherical cow of audio processing. One glaring area it fails is the need for the infinite support sinc filter - which again is why real engineering is not so simplistic.
Then you have a signed picture of a modified picture which can't be altered further. Cryptographic signatures only ensures data integrity and authenticity after the cryptographic signature was made.
They either built some smarts into the sensor, where it's physically impossible to trick it or you can just pretend to be a sensor capturing whatever you want. I assume with enough desire, you can built a pixel-for-pixel matching LCD to illuminate each sensor photocell as desired and capture arbitrary light the physical way. But as another commenter pointed out "it's forgery-proof" ;)
What’s is the supposed business case for sharing raw, unmodified 42Mpix photos?
And if they are still modified later on, and perhaps re-signed, that’s where I would attack.
I would assume they can sign both RAWs and JPEGs. I can imagine a hardened coprocessor that can sign things coming from the sensor and image processor, so you get signed RAW and/or JPEG and you can't extract the private keys. Any modification later on means it's no longer signed. Unless I'm missing something, this is pretty good until someone extracts or leaks the private keys. Maybe they came up with something much smarter :)
> What’s is the supposed business case for sharing raw, unmodified 42Mpix photos?
TFA (TFPR?) answers this.
"This technology is particularly applicable for passports and ID verification but goes further in tackling image manipulation in the media, medical and law enforcement fields. For the insurance and construction sectors, this technology will offer a secure foundation for inspection and recording of damage."
> And if they are still modified later on, and perhaps re-signed, that’s where I would attack.
Even so, the existence of an original capture makes post-capture attacks useless. An effective attack will modify the image before it's signed.
If they did things correctly (and I assume a company like Sony did) then each camera will have its own signed certificates attributed to it. Yes you can sign fake pictures, but the signature won't be from the same camera, which is a pretty good mitigation against this.
Well first you offer signed downsizing software that only runs on windows 11 with verified boot, then after a few more steps the only way to print (on the printer you purchased but also pay for ink and a monthly subscription service) or share the photo is via sony's $19.99/mo photo software or a subscription to lightroom.
Presumably this relies on some sort of private signing key being stored securely on the camera somewhere. Do we really trust Sony's abilities to make it impossible to read out that key?
Secure Enclave-like technology is becoming more widely available. ARM can build TrustZone into any general purpose CPU; they’re probably using something like that rather than building their own security module.
The goal is to prove that you took an image of something that existed in the state it was photographed in. If you take a picture of a fake passport, you are "proving" this passport existed and looked like it did on the picture. So ... mission accomplished?
If they do it competently (or if it can be done) is a separate matter.
Then you're proving the picture you just photographed existed and looked like it did. Where are you going with this?
The utility of knowing a photograph was captured as-is should be know, as should be the ways to physically manipulate things so you capture what you want. IMO the question here should be if 1) this is the best solution for those use cases and 2) if this is implemented in a technically competent way.
I meant the end viewer will not notice it was a picture of a picture of a mountain but will rather think it's a picture of a mountain. Perhaps thinking it's an original work.
Under perfect conditions, it's very hard to tell the difference
I think the use case would be to take a photograph of a person to be used on a passport, not to take a photograph of a passport.
Optical validation of a passport from a photograph is impossible, and unnecessary. If you need to remotely validate a passport there are already secure ways of doing that using the NFC chip embedded in most passports.
A signed picture of a person attests (at best) that the person is a person (not AI generated or photoshopped). It does nothing towards proving they are the right person for their passport.
You are right, but does it need to secure absolutely every single aspect of the situation ?
If an official agent takes a picture with it at an office and saves it to that person’s file, having a stamp saying it comes from the right camera and wasn’t altered post capture is good enough in 99.9% of the situations.
Proving that person is actually who they say they are can be dealt with in other means.
> Proving that person is actually who they say they are can be dealt with in other means.
I can't imagine a situation where you have a means of doing that and you can trust the official agent to perform it, but you can't trust the official agent to sign the image so you need the camera to do it.
> > This technology is particularly applicable for passports and ID verification
> What if you take a picture of a fake passport?
This technology blocks 50 % of the possibilities of counterfeiting (before or after taking the picture); this is an infinite amount better than the 0 % that other camera vendors deliver.
Google-backed Android devices have a certificate chain where each device has its own certificate, but there's also a root of trust. So you can sign things identifying the specific device, but you can also just verify it was signed by a Google-backed Android device. They might have done something similar. Otherwise, a Sony-wide secret key is still interesting, in some sense, if done competently (which I doubt).
Would be nice to see this on their xperia smartphones. They've been copying the Alpha look and feel for a while, and I've been wanting to see signed photos on phones for a while.
Marketing hype, if I have physical access to the camera then I can get the key and sign anything. It might require specialized tools or training but it is nowhere near impossible. If I am a sovereign entity I can just compel someone to give me the key. I wouldn’t make any life changing decisions about anyone based solely on the presence of a signature.
It will be very hard to extract those keys while hiding evidence of tempering. Yes that leaves the threat of state actors, but they will probably have they keys anyway and still the technology will be good 99.99% of the time which means good enough for most intent and purposes.
> It will be very hard to extract those keys while hiding evidence of tempering.
Why do you need to hide evidence of tampering? You're not supposed to need the camera to later verify its signatures.
> good 99.99% of the time
That's a bigger disaster than not having this technology at all, because now the 0.01% of forgers will be able to say "look, my photo can't be a forgery, it's digitally signed!" and convince a lot of people who would otherwise disbelieve it.
This is the kind of technology that's useless if it's not good 100% of the time.
Parachutes can be useful even if they open 99.999% of the time.
But this is either 100% cryptograhical proven forgery-proof or it isn't. There's no "good enough" middle ground. You care for forgery-proof when important things are hanging on that being the case.
While in cryptography there is never 100% we tend to expect crypto not to have have serious known flaws and require great amounts of compute power, time and energy for brute-force attack. E.g cryptocurrency is "safe" because cost of attack is too high and require too much resources.
On other side this Sony Camera-DRM is not just useless, but dangerous especially since Sony have well established track record with backdoors and cryptography:
None of what you’re saying appears to be pertinent in this issue, since the primary objections appear to not be related to the crypto but to the end-to-end validation?
Which it’s still likely better than the current situation, which is photoshops ahoy everywhere.
They do. But we're ok with some losses now and then, if it means parachutes still saves tons of lives...
The thing is a parachute failing doesn't affect other deployments. Whereas the forgery-proof tech being able to fail means no photo with "forgery proof data" can be trusted.
Your idea of trust here seems at odds with, well, everyone else’s?
Digital photos are already used extensively without any digital signing at all in court - for very high profile cases, including murder, high stakes civil suits (Depp vs Heard), insurrection against the US, you name it.
How is this going to make it worse exactly?
The systems involved already have to deal with uncertainty, doubt, potential fraud, etc.
If there is a potential signal to help out with that, which this is, it just makes it easier to discover fraud, not bulletproof or impossible, regardless of the tech.
If it's easily broken? By providing fake assurances.
>The systems involved already have to deal with uncertainty, doubt, potential fraud, etc.
Yes, and false assurances has already been an issue with all kinds of forensic processes, and led to numerous bad convictions (numerous that we know of, there are obviously more).
I'd rather have dgital photos "without any digital signing at all" in court, and the court treating them with uncertainty, doubt, potential fraud, etc, than a easy to beat signing system that gives even 10% extra unwarranted assurances to juries and judges....
It’s like with bank cards where everyone in the judicial system for years agreed that they were safe and only when it couldn’t denied anymore suddenly it took another 3 years for the system to reflect that.
A) cryptography is hard. Chances of Sony getting it right are not good. Chances of critical flaws being found later are basically infinite.
B) 99.9% doesn’t exist with technology. Once it’s broken the exploit can be scaled.
It would be extremely hard for almost anyone to do so, and they can use signatures with per camera tokens as well as global ones. That way compromising one camera doesn't compromise all.
And there is a lot more stuff they can do to prevent such naive attacks.
By your simple reasoning, all iphones would be cracked, yet even the USA govt hasn't been able to crack into them.
And what they propose is vastly better than doing nothing.
They need to do no such thing. They never need to access the key, or anything remotely like it.
They do need to push other images from where the sensor would be :).
And is it better than nothing? I think having having which people may treat ad evidence which is trivial to fake is worse than something which people won't treat as evidence
>They do need to push other images from where the sensor would be :).
Yes, taking a new photo. However, a photo of a photo is going to show artifacts in the frequency spectrum that should not be difficult to detect.
So they cannot edit a picture, even trying to feed it back into the sensor. And. if the signing is built into the die of the sensor, it would take incredible resources to even attempt to feed new data into the sensor grid itself, tech vastly beyond anyone but a nation state.
>I think having having which people may treat ad evidence which is trivial to fake is worse than something which people won't treat as evidence
So you're against police body cams, because everyday people might be faking all the bad police interactions? Because all cameras I've looked into would be easier to tamper with than one designed with signed images that's done well.
> By your simple reasoning, all iphones would be cracked, yet even the USA govt hasn't been able to crack into them.
I don’t think this is quite the right takeaway. What the threat model is for this is not that you’d be able to crack any iPhone you like in whatever circumstances, but rather more like jail breaking one. Jailbreaks definitely exist, and depending on your need, you’d only need to jailbreak one, once. Even with a per-device token, if what you need is to generate a validly signed photo that has been manipulated (say for a passport photo or forensics), you’d be able to do that.
That's not clear. If they designed it well, the photo comes off the sensor into the equivalent of Apple's Secure Enclave, gets signed, then the data reaches the level where jailbreaks could touch it.
It would be profoundly stupid (and unlikely) that Sony would send data from the sensor to software, then sign using keys simply read into software.
So no, jailbreaks very likely would have zero ability to sign an image.
Sony's marketing department and execs should know better than over promise like this. The camera can and will be hacked, guaranteed. Like PlayStation security, it may take a while, but it'll be done. And that's only if they haven't overlooked any obvious flaws. We all know if you have physical access to the hardware, it'll happen.
Anyways, ignore the hyperbole. It's just a press release by inexperienced marketers.
The article says there might be a flaw, and it would be a huge deal. It does not state those phones are broken. It does not extract keys, which would be needed in the case of Sony cameras to sign fake pictures.
Here's a later followup article from Elcomsoft, one of the best security firms around [1]. The key quote: "checkm8 does not affect the Secure Enclave."
So no, they did not extract keys needed that would be needed to sign new phots for the Sony phone.
And later iPhones have removed this as a vector. It's unlikely Sony made the same mistakes quite old iPhones did, since they have the ability to learn from past security issues.
I mean, this is Apple versus Orange, pun intended. In the case of camera sales they’re in a worldwide slump [1], and while Sony, Canon and Nikon are big and have adjacent and alternate revenue streams, it’s very plausible Apple invests more R&D into custom silicon and/or security in a year than these companies make in total revenue from selling cameras.
I’d like to believe it’s unlikely Sony made the same mistakes but the old Amazon saying applies — “There’s no compression algorithm for experience”. One hopes that Sony learned from PS3, but I’d find it unlikely an external observer of Apple will, through observation, operate as competently as Apple.
>it’s very plausible Apple invests more R&D into custom silicon and/or security in a year than these companies make in total revenue from selling cameras.
Why would you compare all of Apple to the subset of Sony that is cameras? That's a dishonest comparison, especially if you're going to complain about apples to oranges comparisons. Why not Apple camera revenue to Sony camera revenue?
And both have very little to do with the cost to make a secure chip, which either can easily afford if desired. Apple's not spending a significant amount of their budget on the security components, after all, are they?
Certainly Sony makes enough revenue and spends enough on R&D to develop state of the art technology, including security hardware.
>One hopes that Sony learned from PS3
You really think they learned nothing since the PS3?
Everyone's skeptical in this thread (including me), but it does seem like a useful thing to do if you can make it practical. Maybe incorporating some of the design elements of a "Secure Enclave" like Touch/Face ID where physical access destroys the private key? Not an expert in this field but curious what can actually be done.
So this is basically DRM, but straight out of the camera. I can only think of a few situations where attestation that early in the chain would actually be helpful (forensics, biometrics). However, even if they are using a per-camera secret, tamper proof hardware is often not very tamper proof, especially in consumer devices. Even things like SGX have glitch attacks and similar. I question if it would really stop a determined attacker from extracting the key and using it to sign edited images. It’s next to impossible to prevent jailbreaks. Further, a low tech proof of concept solution could be to telecine an edited image onto the sensor. You’d then be able to get a signed image of almost anything without even jail breaking the device
Can’t an insurance company for instance seal the camera they provide to their agents and have a decent confidence that the signed photo are genuine ?
The default hardware might be vulnerable to ultra determined attackers but that can probably be mitigated where it’s worth doing so. Basically if the software is really working, solving for the hardware part can be done at the owner level.
Would not surprise me if 10-years from now mainstream consumer devices and platforms attempt to make it impossible to produce content that’s not able to authenticate the provenance of media.
Adobe, Arm, Intel, Microsoft, Twitter, BBC, and others appear to be working to make this a reality via the Coalition for Content Provenance and Authenticity (C2PA):
How would it work in practice? How could they forbid me to edit an "authenticated" image (which is still just an array of numbers) on gimp, and publish the modified image as raw data? Wouldn't I be then "producing content" whose provenance is not authenticated?
As long as I have a functional C compiler that can read the files on my computer, I don't see how this C2PA thing can be effective at all.
You can publish such an image, but you won’t be able to attest “this image came from my camera and is unedited”. It’ll be unsigned, so marked as “possibly edited” the way HTTP websites are marked by modern browsers as “possibly insecure”. The whole point is provenance chain - not to prevent any editing whatsoever or establish “DRM” that forbids the use of all images from a camera or something.
The ability to have unique per-camera keys with tamper-resistant storage (that can "self destruct" when it detects voltage glitching, etc) has come a long way in the last 11 years.
81 comments
[ 4.3 ms ] story [ 117 ms ] threadTake a photo. It's not a grid of values. You already screwed with high frequency components. Take a photo of that - you changed these again. It's not hard to detect this. There's an entire field for detecting forensically altered things, and no current tech goes undetected, certainly not stuff simply made for movies.
Or provide some link, paper, or serious scientific claim that ILM has magically removed all aliasing from images, which would, well, simply violate physics. What they actually do is try to move aliasing to less visible portions of a frequency spectrum - but those signals are still there and detectable.
Nope.
Aliasing can be eliminated by low-pass filtering (blurring) the input signal before sampling it. This could be done by keeping the background even slightly out of focus, or coating the display.
Unless it's traded away for performance (or style choice), you are experiencing alias-free sound and image processing all day long.
>Aliasing can be eliminated by low-pass filtering (blurring) the input signal before sampling it.
Nope. I have a PhD in math, and have been doing filtering stuff for decades. You do not eliminate aliasing, you push the error out of the visible spectrum - end of story.
The naive, physically impossible undergrad textbooks might say differently, just like they'd teach Newton as gravity and ignore relativity, or teach the ideal gas law and ignore that real gasses are vastly more complex in behavior.
This is Wikipedia level knowledge: from the low-pass filter page [1]:
"However, the ideal filter is impossible to realize without also having signals of infinite extent in time, and so generally needs to be approximated for real ongoing signals, because the sinc function's support region extends to all past and future times."
So no ideal filter, sorry. That means leakage, which happens in every part of engineering (and is forced by physics, despite you not wanting to believe it). Ideal filters are math, not physics.
And this level is vastly below what is done in industry, what theory (and physics) forces onto real world filtering.
Once you discretize the signal, even after filtering, you have introduce lots of noise in lots of frequency ranges. The simple reason is that you are forced to perturb real sample values (which would require infinitely precise measurements) to the discrete ones your sensor records. These perturbations do not fit your frequency requirements. Don't believe it? Take a photo, apply your "ideal" low pass filter, then fit the resulting image using sin and cos waves of frequency no higher than than your filter - and you'll see it's impossible. You can only approximate it - and that is empirical proof you can do at home.
Another entire level that undergrad level understandings miss is that pretty much zero of the theorems you think apply actually do - because pretty much every one uses infinite precision samples (Nyquist, for example), infinite support reconstruction (physically impossible), and so on. In practice all of these things leave noise in various parts of frequency spectrums.
So, still want to argue that filters would somehow remove aliasing issues? Especially over a sensor with the number of samples and precision that a modern Sony sensor has?
>you are experiencing alias-free sound and image processing all day long
You are confusing Nyquist with reality - and ignoring that Nyquist doesn't even apply to audio (or video) - it's only an approximation to what is really happening. As an approximation it's useful, but the requirements of the theorem are not met in reality and the reconstruction is not met in reality.
Don't believe me? Go look at the proof for the Nyquist theorem, and pay attention to all the requirements that no physical device can meet. it's the frictionless spherical cow of audio processing. One glaring area it fails is the need for the infinite support sinc filter - which again is why real engineering is not so simplistic.
[1] https://en.wikipedia.org/wiki/Low-pass_filter
The camera generates a valid signature every time you take a picture...
TFA (TFPR?) answers this.
"This technology is particularly applicable for passports and ID verification but goes further in tackling image manipulation in the media, medical and law enforcement fields. For the insurance and construction sectors, this technology will offer a secure foundation for inspection and recording of damage."
> And if they are still modified later on, and perhaps re-signed, that’s where I would attack.
Even so, the existence of an original capture makes post-capture attacks useless. An effective attack will modify the image before it's signed.
Why would sony cameras not leverage knowledge gained from iphone security features?
What if you take a picture of a fake passport?
If they do it competently (or if it can be done) is a separate matter.
The utility of knowing a photograph was captured as-is should be know, as should be the ways to physically manipulate things so you capture what you want. IMO the question here should be if 1) this is the best solution for those use cases and 2) if this is implemented in a technically competent way.
Under perfect conditions, it's very hard to tell the difference
Optical validation of a passport from a photograph is impossible, and unnecessary. If you need to remotely validate a passport there are already secure ways of doing that using the NFC chip embedded in most passports.
If an official agent takes a picture with it at an office and saves it to that person’s file, having a stamp saying it comes from the right camera and wasn’t altered post capture is good enough in 99.9% of the situations.
Proving that person is actually who they say they are can be dealt with in other means.
I can't imagine a situation where you have a means of doing that and you can trust the official agent to perform it, but you can't trust the official agent to sign the image so you need the camera to do it.
> What if you take a picture of a fake passport?
This technology blocks 50 % of the possibilities of counterfeiting (before or after taking the picture); this is an infinite amount better than the 0 % that other camera vendors deliver.
;-)
Is there a public certificate registry?
Why do you need to hide evidence of tampering? You're not supposed to need the camera to later verify its signatures.
> good 99.99% of the time
That's a bigger disaster than not having this technology at all, because now the 0.01% of forgers will be able to say "look, my photo can't be a forgery, it's digitally signed!" and convince a lot of people who would otherwise disbelieve it.
If I know my camera was tampered with, I can invalidate the signing key.
This is the kind of technology that's useless if it's not good 100% of the time.
Parachutes can be useful even if they open 99.999% of the time.
But this is either 100% cryptograhical proven forgery-proof or it isn't. There's no "good enough" middle ground. You care for forgery-proof when important things are hanging on that being the case.
Nothing is ever 100%
On other side this Sony Camera-DRM is not just useless, but dangerous especially since Sony have well established track record with backdoors and cryptography:
https://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootk...
https://www.engadget.com/2010-12-29-hackers-obtain-ps3-priva...
https://www.pcworld.com/article/411221/backdoor-accounts-fou...
Which it’s still likely better than the current situation, which is photoshops ahoy everywhere.
They do. But we're ok with some losses now and then, if it means parachutes still saves tons of lives...
The thing is a parachute failing doesn't affect other deployments. Whereas the forgery-proof tech being able to fail means no photo with "forgery proof data" can be trusted.
Digital photos are already used extensively without any digital signing at all in court - for very high profile cases, including murder, high stakes civil suits (Depp vs Heard), insurrection against the US, you name it.
How is this going to make it worse exactly?
The systems involved already have to deal with uncertainty, doubt, potential fraud, etc.
If there is a potential signal to help out with that, which this is, it just makes it easier to discover fraud, not bulletproof or impossible, regardless of the tech.
If it's easily broken? By providing fake assurances.
>The systems involved already have to deal with uncertainty, doubt, potential fraud, etc.
Yes, and false assurances has already been an issue with all kinds of forensic processes, and led to numerous bad convictions (numerous that we know of, there are obviously more).
I'd rather have dgital photos "without any digital signing at all" in court, and the court treating them with uncertainty, doubt, potential fraud, etc, than a easy to beat signing system that gives even 10% extra unwarranted assurances to juries and judges....
It’s like with bank cards where everyone in the judicial system for years agreed that they were safe and only when it couldn’t denied anymore suddenly it took another 3 years for the system to reflect that.
A) cryptography is hard. Chances of Sony getting it right are not good. Chances of critical flaws being found later are basically infinite.
B) 99.9% doesn’t exist with technology. Once it’s broken the exploit can be scaled.
And there is a lot more stuff they can do to prevent such naive attacks.
By your simple reasoning, all iphones would be cracked, yet even the USA govt hasn't been able to crack into them.
And what they propose is vastly better than doing nothing.
They do need to push other images from where the sensor would be :).
And is it better than nothing? I think having having which people may treat ad evidence which is trivial to fake is worse than something which people won't treat as evidence
Yes, taking a new photo. However, a photo of a photo is going to show artifacts in the frequency spectrum that should not be difficult to detect.
So they cannot edit a picture, even trying to feed it back into the sensor. And. if the signing is built into the die of the sensor, it would take incredible resources to even attempt to feed new data into the sensor grid itself, tech vastly beyond anyone but a nation state.
>I think having having which people may treat ad evidence which is trivial to fake is worse than something which people won't treat as evidence
So you're against police body cams, because everyday people might be faking all the bad police interactions? Because all cameras I've looked into would be easier to tamper with than one designed with signed images that's done well.
I don’t think this is quite the right takeaway. What the threat model is for this is not that you’d be able to crack any iPhone you like in whatever circumstances, but rather more like jail breaking one. Jailbreaks definitely exist, and depending on your need, you’d only need to jailbreak one, once. Even with a per-device token, if what you need is to generate a validly signed photo that has been manipulated (say for a passport photo or forensics), you’d be able to do that.
It would be profoundly stupid (and unlikely) that Sony would send data from the sensor to software, then sign using keys simply read into software.
So no, jailbreaks very likely would have zero ability to sign an image.
Anyways, ignore the hyperbole. It's just a press release by inexperienced marketers.
Ever look at the list of uncracked videogames and how long the top ones have lasted?
https://www.wired.com/story/ios-exploit-jailbreak-iphone-ipa...
The article says there might be a flaw, and it would be a huge deal. It does not state those phones are broken. It does not extract keys, which would be needed in the case of Sony cameras to sign fake pictures.
Here's a later followup article from Elcomsoft, one of the best security firms around [1]. The key quote: "checkm8 does not affect the Secure Enclave."
So no, they did not extract keys needed that would be needed to sign new phots for the Sony phone.
And later iPhones have removed this as a vector. It's unlikely Sony made the same mistakes quite old iPhones did, since they have the ability to learn from past security issues.
[1] https://blog.elcomsoft.com/2021/05/checkm8-based-extraction-...
I’d like to believe it’s unlikely Sony made the same mistakes but the old Amazon saying applies — “There’s no compression algorithm for experience”. One hopes that Sony learned from PS3, but I’d find it unlikely an external observer of Apple will, through observation, operate as competently as Apple.
[1] https://www.popphoto.com/news/the-camera-industry-is-changin...
Why would you compare all of Apple to the subset of Sony that is cameras? That's a dishonest comparison, especially if you're going to complain about apples to oranges comparisons. Why not Apple camera revenue to Sony camera revenue?
And both have very little to do with the cost to make a secure chip, which either can easily afford if desired. Apple's not spending a significant amount of their budget on the security components, after all, are they?
Certainly Sony makes enough revenue and spends enough on R&D to develop state of the art technology, including security hardware.
>One hopes that Sony learned from PS3
You really think they learned nothing since the PS3?
The default hardware might be vulnerable to ultra determined attackers but that can probably be mitigated where it’s worth doing so. Basically if the software is really working, solving for the hardware part can be done at the owner level.
People have been using digital photos with nothing already for a long time in court.
Adobe, Arm, Intel, Microsoft, Twitter, BBC, and others appear to be working to make this a reality via the Coalition for Content Provenance and Authenticity (C2PA):
https://c2pa.org/
As long as I have a functional C compiler that can read the files on my computer, I don't see how this C2PA thing can be effective at all.
https://youtu.be/LP1t_pzxKyE?t=248