What I find the most interesting about this article is that someone was able to be identified using a picture of their fingerprints.
Thus, any photos posted online could be scoured for identification information. And with computer vision technologies becoming more mature, it means that regular video footage of people could identify them the same way in seconds or less using a wide variety of different visual traits.
The implications of this on individual privacy are immense.
There was some pytorch software called "enhance", i.e. ./enhance <image> [options] and you could take an image that someone took of their unpowered tv across the room and pull out a high resolution image of their face from the reflection in the matte-ish surface.
I used it on reddit to convince people it was unsafe to post any images of that sort. It seemed to work for about 6 months.
There's magic in image enhancement, but I don't know that ridges and valleys of a fingerprint are there, yet. I don't even know that "this specific person is scared that they leaked their face in a way that is recognizable to them" even scales to "never upload anything" - it could be this sort of news is programming the population that computers can tease out identities with any and all leaked information, pictures, audio, etc.
Heck, a decade and a half ago there were claims that governments could narrow a search for an audio file upload based on the deviation from 60hz on the power line noise - in an audio recording.
> Heck, a decade and a half ago there were claims that governments could narrow a search for an audio file upload based on the deviation from 60hz on the power line noise - in an audio recording.
I'm curious about this photo-enhancement tool, because it's also a common joke in some circles that police procedural TV shows use "Zoom! Enhance!" when blurry photos -- or photos zoomed in until they're pixelated -- typically can't be enhanced for information-theoretic reasons. (Of course, if you can make assumptions about what the photo is of and what structure that thing would have, you can make relatively-likelihood estimates of different possibilities for the subject matter, such as different text strings in a blurry or pixelated photo of text.)
So, under some assumptions this typically shouldn't be able to work. :-)
> identified using a picture of their fingerprints
It's not clear to me that they identified him that way. It might be that they arrested him due to other evidence, compared the fingerprints afterward, and told him that they could prove the fingerprints matched, whereupon he pled guilty.
It's no unheard of to elicit guilty pleas using less than scientifically robust forensic methods.
Indeed. I got the impression this was one of many pieces of evidence used to put the case together.
The biggest one was the money laundering.
Porras had used a money laundering service controlled by Homeland Security Investigations. Vendors sent the money launderer a certain amount of Bitcoin and the money launderer mailed cash back to the vendor. At some point in the money launderer’s career, federal agents quietly took control of the money laundering operation and used the position to identify dozens of darkweb vendors.
I’ve reflected on the fact that some makers on YouTube wear gloves and wondered if this is for privacy reasons. I see globes being worn even when they’re not obviously doing anything that risk getting their fingers dirty.
Possibly to hide damaged cuticles, dirty fingernails, or something else unsightly. Comments will harp on just about any flaw. Ben Heck addressed comments about his fingers' condition, but he just offers some sarcasm about them instead of hiding it. Some might resort to gloves.
That could just be for continuity - so if they shoot the video out of order, you don't get the gloves appearing and disappearing and reappearing between scenes.
I wouldn't be surprised if writing style could also be used. I tend to use certain constructions and vocabulary across many of my comments. Some are under a handle with little or no link to my real identity, and some are quite the opposite. I expect someone could deanonymize the former based on correlation of writing style with the latter.
Anyone engaging in legally questionable activity who didn't already consider this attack vector and take it seriously simply haven't been paying attention and have bad OPSEC.
The possibility of this kind of attack has always been mathematically possible and it doesn't take machine learning or computer vision to do it. It boils down to basic linear transformation.
There's a long history of attempts to identify persons by photos of fingerprints for evidence, there's just a level of uncertainty involved which make it more suited for gathering intelligence than court-submitted evidence.
Facial recognition would be much easier then looking for fingerprints. Given all the social media apps steadily growing their datasets, won't be long before a leaked dump of a greater part of the whole world population data will be available to anyone. Maybe facial surgery will be a major thing in the future. Or we will all wear masks anytime, beside viruses.
I know, that's not a bright vision of the future. I wonder where is the line where technology will switch from useful to socially dangerous and how far we are from it. To tell the truth, it already kind of switched from useful to a useless waste of time in many cases.
Or the day when FAANG & other big tech will get bored with selling those stupid ads and move on to more powerful and scary things.
How is that surprising? Isn't it absolutely obvious and technically trivial? They'll manipulate it into something monochrome with sufficient contrast and feed it into their database - done.
Having said that it could just as obviously be a deceit to distract from an informant or other sources of information.
It's incredible that so much tax payer money and human resources are devoted to defend pharmaceutical companies monopoly on drugs. By his inventory it sounds like his customers would likely be people with chronic conditions that have strong presence of pharmaceutical lobby to prevent legal sales of cannabis and probably cannot afford Xanax through legal means because the cost of getting medical help is extortionate.
That wouldn't be too far from truth. 75 percent of people started their addiction from prescription medication who then turn to the black market to maintain their habit. The big pharma is loosing a large profit. They heavily opposed marijuana legalization, their role in the war on drugs is quite clear to me.
I strongly suspected that is what they did too. Got to wonder if they used the EXIF data to find him - linking photos of the pot and other social media/etc public shots, then used the fingerprints as parallel construction.
Imgur strips exif by default. I agree it sounds like parallel construction.
The article mentions they compared his finger prints to those from the picture. How did they know to check against his prints? Sounds like they already knew who it was, by means that aren't admissible as evidence.
Not digitally embedded as EXIF since it was uploaded to Imgur which AFAIK strip those out, but more like lens scratches and sensor noise, similar to [0].
'So we have these fingerprints, and we think they belong to this guy we already have prints on file for. Can you give us a yes/no answer if they match up?'
seems like a pretty low bar for evidence. Seems like the kind of thing that could heavily skew towards telling you what you want to hear. Maybe someone else knows if it actually works like that, the writeup made it sound like that to me.
I'm just some guy who saw a tv documentatary at some point about how forensic techniques that worked like that got called into question when conflicting DNA evidence started turning up.
My understanding from skimming the article is, they only identified the suspect from fingerprints. After identification they did surveillance and gathered additional evidence.
> The FDL [HSI Forensic Document Laboratory] returned the request after conducting a comparative analysis of the friction ridge detail of the fingerprints from the Imgur album and the fingerprint samples taken after police had arrested Porras for a different crime. The fingerprints in the Imgur album matched the prints they already had on file for Porras.
It doesn't sound like that to me, but maybe I am misunderstanding what a comparative analysis would entail.
Although not mentioned clearly in the complaint it's very possible the initial matching was done through the FBI's or another automated query system. This is a standard practice used in law enforcement investigations - capture fingerprints however you can and submit them to the FBI, which returns a report of possible matches. The automated matches would need to be followed up on with manual comparison, esp. due to the unusual nature of the fingerprint capture here, and this manual comparison is going to be the part mentioned in the complaint because it most clearly establishes a link.
> Law enforcement made a number of controlled purchases during the investigation into Porras and his co-conspirators. The purchases and subsequent surveillance followed the same pattern every time: make a purchase; watch Porras drive to a storage facility where he stored product; follow Porras to the Post Office; talk to Postal Inspectors about the package Porras or his co-conspirator had dropped into a USPS Blue Box.
I don't like to sound like I'm wearing tinfoil, but I'm not sure I believe this. We keep getting eyebrow-raising explanations for how computer criminals are caught; I always ask why bother?
The American intelligence apparatus has compromised nearly all network traffic, from hardware backdoors on up. I assume the real way this person was detected and caught would be too embarrassing to admit, hence the fingerprints-from-a-photo cover.
it would be a national security catastrophe if it leaked that NSA was bulk decrypting all TLS/SSL traffic Internet-wide, by using a giant rainbow table of prime pair products for instant decryption without factoring, which was first proposed by Rabin back in 1997 at a NIST working group for establishing crypto standards.
then NSA would lose the biggest SIGINT advantage since ENIGMA back in WW2.
so instead, DEA is tasked with finding the dummies who post photos of their hands or bookshelves or who made n00b opsec mistakes like re-using handles or email accounts that connect to their real names. then DEA applies Parallel Construction to fabricate an investigative evidence chain to present to the Court. the Court never needs to know the truth.
by the way, i personally do believe NSA is doing this, and all of Tor is as good as plain text to Ft Meade, because Rabin's idea really would scale with today's computing and storage capacities, and because that is exactly what i would do too.
> by the way, i personally do believe NSA is doing this, and all of Tor is as good as plain text to Ft Meade, because Rabin's idea really would scale with today's computing and storage capacities, and because that is exactly what i would do too.
I love to talk about how we can mitigate attacks on cryptography as much as the next person, but have you looked at what algorithms Tor uses?
While they have a bunch of alarming legacy 1024-bit RSA and DH stuff, they also have Ed25519 identities and Curve25519 ECDH key exchange, plus running everything over TLS with various ciphersuites -- many of which are now ECDH.
going to have to call shenanigans on "by using a giant rainbow table of prime pair products for instant decryption without factoring, which was first proposed by Rabin back in 1997 at a NIST working group for establishing crypto standards."
If having this information advantage is so important to national security why let the DEA be involved at all? Either the national security angle is bs or they care more about enforcing drug laws than protecting our country.
> Porras also admitted possessing a Model A uzi-style pistol; a MAK 90; and an S&W .44 caliber revolver. Although all weapons in Porras’ possession were legal firearms (the uzi-style pistol used post ban parts), a felony conviction for possession with intent precluded firearm ownership.
Can someone explain this part to me. Was he previously convicted of a crime that precluded ownership? Or are the police able to take legal behaviour and change it to illegal behaviour later on?
It mentions he had already been a convicted, or at least arrested, for a prior crime. That's why they had his fingerprints on file.
Whether that crime was a felony, I don't know.
But I believe the "felons can't possess firearms" also includes possession while committing a felony - you don't need an actual conviction (but the felony would need to be proved).
That he was previously convicted of felony possession with intent to distribute and that this precluded him from owning firearms is the only felicitous reading of that sentence.
It's actually more complicated than that. In many states if you are convicted of a non-violent felony then at the end of your sentence your firearm rights are automatically restored. There are also the cases of pardons, expungements, and other restorations of civil rights. It varies by state, and while USC 922(g) outlaws firearm ownership possession by any felon, in practice the Federal courts look at whether the person has had their civil rights restored in the state of the alleged offense. When it comes to Federal charges, the prospect of amelioration is grim. In the Federal scenario, there is no expungement or pathway to restore your civil rights, but a pardon is possible. [0]
There's also a discussion to be had about your and the legal definition of a "gun." For example, antique firearms such as some black powder rifles are specifically excepted [1] from the Federal legislation, but it could vary on a state by state basis.
> We know, thanks to documents from other Operation Dark Gold cases, that Porras had used a money laundering service controlled by Homeland Security Investigations
I’m reading a lot of comments here which tackle the thorny topic of decriminalization of drugs in the US that we have historically over-prosecuted. I happen to agree with this sentiment as well. But almost everyone here arguing for a middle ground agrees that things won’t change because all three branches of the US seem determined to keep a hard-line or zero tolerance policy on drugs, even when legalization and medical supervision, creation of new business and exploration of safer alternatives and research into benefits of said drugs are brought up as arguments and are summarily dismissed because “reasons”.
What are some actual, practical steps we all can take towards making decriminalization a reality?
Readit News
Thus, any photos posted online could be scoured for identification information. And with computer vision technologies becoming more mature, it means that regular video footage of people could identify them the same way in seconds or less using a wide variety of different visual traits.
The implications of this on individual privacy are immense.
I used it on reddit to convince people it was unsafe to post any images of that sort. It seemed to work for about 6 months.
There's magic in image enhancement, but I don't know that ridges and valleys of a fingerprint are there, yet. I don't even know that "this specific person is scared that they leaked their face in a way that is recognizable to them" even scales to "never upload anything" - it could be this sort of news is programming the population that computers can tease out identities with any and all leaked information, pictures, audio, etc.
Heck, a decade and a half ago there were claims that governments could narrow a search for an audio file upload based on the deviation from 60hz on the power line noise - in an audio recording.
So who knows?
Wow. Any source for this?
So, under some assumptions this typically shouldn't be able to work. :-)
edit: extensively documented at https://tvtropes.org/pmwiki/pmwiki.php/Main/EnhanceButton, for example
It's not clear to me that they identified him that way. It might be that they arrested him due to other evidence, compared the fingerprints afterward, and told him that they could prove the fingerprints matched, whereupon he pled guilty.
It's no unheard of to elicit guilty pleas using less than scientifically robust forensic methods.
The biggest one was the money laundering.
Porras had used a money laundering service controlled by Homeland Security Investigations. Vendors sent the money launderer a certain amount of Bitcoin and the money launderer mailed cash back to the vendor. At some point in the money launderer’s career, federal agents quietly took control of the money laundering operation and used the position to identify dozens of darkweb vendors.
https://imgur.com/82yHUoM
I reckon that'd be enough to run through a database.
Alone it's not conclusive, but it's one more piece of evidence linking all of the activity together.
The possibility of this kind of attack has always been mathematically possible and it doesn't take machine learning or computer vision to do it. It boils down to basic linear transformation.
There's a long history of attempts to identify persons by photos of fingerprints for evidence, there's just a level of uncertainty involved which make it more suited for gathering intelligence than court-submitted evidence.
I know, that's not a bright vision of the future. I wonder where is the line where technology will switch from useful to socially dangerous and how far we are from it. To tell the truth, it already kind of switched from useful to a useless waste of time in many cases.
Or the day when FAANG & other big tech will get bored with selling those stupid ads and move on to more powerful and scary things.
Having said that it could just as obviously be a deceit to distract from an informant or other sources of information.
https://www.wired.com/2008/03/hackers-publish/
The article you link neither talks about a fingerprint of Angela Merkel nor about a fingerprint recovered from a photograph.
(But a CCC group did indeed years later show a politicians fingerprint recovered from a photo, but again not Merkels)
I thought via the title that they fingerprinted the lens used to take the photograph, not that there was literal pictures of fingers.
I, too, thought parallel construction.
The article mentions they compared his finger prints to those from the picture. How did they know to check against his prints? Sounds like they already knew who it was, by means that aren't admissible as evidence.
[0]: https://ieeexplore.ieee.org/document/1634362
seems like a pretty low bar for evidence. Seems like the kind of thing that could heavily skew towards telling you what you want to hear. Maybe someone else knows if it actually works like that, the writeup made it sound like that to me.
I'm just some guy who saw a tv documentatary at some point about how forensic techniques that worked like that got called into question when conflicting DNA evidence started turning up.
It doesn't sound like that to me, but maybe I am misunderstanding what a comparative analysis would entail.
The American intelligence apparatus has compromised nearly all network traffic, from hardware backdoors on up. I assume the real way this person was detected and caught would be too embarrassing to admit, hence the fingerprints-from-a-photo cover.
it would be a national security catastrophe if it leaked that NSA was bulk decrypting all TLS/SSL traffic Internet-wide, by using a giant rainbow table of prime pair products for instant decryption without factoring, which was first proposed by Rabin back in 1997 at a NIST working group for establishing crypto standards.
then NSA would lose the biggest SIGINT advantage since ENIGMA back in WW2.
so instead, DEA is tasked with finding the dummies who post photos of their hands or bookshelves or who made n00b opsec mistakes like re-using handles or email accounts that connect to their real names. then DEA applies Parallel Construction to fabricate an investigative evidence chain to present to the Court. the Court never needs to know the truth.
by the way, i personally do believe NSA is doing this, and all of Tor is as good as plain text to Ft Meade, because Rabin's idea really would scale with today's computing and storage capacities, and because that is exactly what i would do too.
just what do you think Bluffdale is really for?
I love to talk about how we can mitigate attacks on cryptography as much as the next person, but have you looked at what algorithms Tor uses?
While they have a bunch of alarming legacy 1024-bit RSA and DH stuff, they also have Ed25519 identities and Curve25519 ECDH key exchange, plus running everything over TLS with various ciphersuites -- many of which are now ECDH.
https://github.com/torproject/torspec/blob/master/tor-spec.t...
The type of handshake and key exchange is chosen by the client, and I think the default has been to prefer the ntor method for a long time.
Whats that all about bro?
Can someone explain this part to me. Was he previously convicted of a crime that precluded ownership? Or are the police able to take legal behaviour and change it to illegal behaviour later on?
Whether that crime was a felony, I don't know.
But I believe the "felons can't possess firearms" also includes possession while committing a felony - you don't need an actual conviction (but the felony would need to be proved).
Certainly if he was previously convicted he can't legally poses a firearm.
However I believe that possession of a firearm while operating a drug distribution business is also illegal.
The article seems ambiguous on which it is.
There's also a discussion to be had about your and the legal definition of a "gun." For example, antique firearms such as some black powder rifles are specifically excepted [1] from the Federal legislation, but it could vary on a state by state basis.
[0] https://www.justice.gov/archives/jm/criminal-resource-manual...
[1] https://www.law.cornell.edu/uscode/text/18/921
Geeze
What are some actual, practical steps we all can take towards making decriminalization a reality?