Steve
Security is inefficient
Consultant
join:2001-03-10
Tustin, CA
edit:
August 4th, @09:06PM
| reply to NetFixer
Re: Digital camera a security risk?
said by NetFixer  :Unless you have privacy issues with someone knowing the brand/model of the digital camera you use and/or the timestamp information, the EXIF information is in no way a privacy or security issue. Oh yah? 
EXIF can contain a thumbnail of the image, and it's often maintained even after the full image has been mucked with in photoshop.
I recall a headshot that a pretty girl posted of herself on Craigslist, and though it had been cropped, the original uncropped thumbnail was still in the EXIF. Let's just say we got to see a bit more of the pretty girl than she intended. Woot!
Likewise, that racy picture that you pixellated or added black bars to? The thumbnail didn't get those edits. Surprise! See the above sample taken from this site (examples are easy to find, but it's harder to find a "good" one that's nevertheless suitable for posting in a public forum).
It's fun to investigate pictures with my brother's online EXIF viewer, which will show thumbnails if the EXIF contains them.
This is a classic example of hidden metadata, and photographs are not immune; this makes it a security issue.
Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
 ·Cingular Wireless
·AT&T CallVantage
 ·AT&T Southeast
 ·Comcast
edit:
August 4th, @09:49PM
| said by Steve :Oh yah? EXIF can contain a thumbnail of the image, and it's often maintained even after the full image has been mucked with in photoshop. I forgot all about those pesky little thumbnails. 
On the other hand, the Exifer program I suggested will zap those as well as the other camera EXIF information!.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
dolphins
Miami Dolphins
Premium
join:2001-08-22
Westville, NJ
·Comcast
| reply to Steve
WooHoo... Got some asian sites I wanna visit now.  Do you have an app that can clear pixelation? 
--
Prevent Malware |
|
fatness
subtle
Janitor
join:2000-11-17
fishing
Host:
Earthlink DSL
TekSavvy
Forum Feature Requ..
Need Site Help?
Sports Chat
| reply to Steve
said by Steve :EXIF can contain a thumbnail of the image, and it's often maintained even after the full image has been mucked with in photoshop. That's what happened to Cat Schwartz of TechTV. Not that I would know.
--
Sure, that'll work.. |
|
EGeezer
Spring is here
Premium
join:2002-08-04
Country!
·RoadRunner Cable
·AT&T CallVantage
| reply to Steve
Firefox also has a nice little EXIF viewer extension written by Alan Raskin - See here.
--
Sive enim ad sapientiam perveniri potest, non paranda nobis solum ea, sed fruenda etiam est |
|
rosco
Lumbergh
Premium
join:2003-11-10
Catskill, NY
| reply to Steve
I remember when Cat Schwartz from techtv had a problem where she cropped a topless photo of herself and didnt realize the whole photo was viewable in the exif thumbnail...Kevin Rose had a funny post on his site about how to not be like her and remove the EXIF info. |
|
nfixit2004
Premium
join:2004-01-06
Brooklyn, NY
·Verizon Online DSL
| reply to Steve
said by Steve :said by NetFixer :Unless you have privacy issues with someone knowing the brand/model of the digital camera you use and/or the timestamp information, the EXIF information is in no way a privacy or security issue. Oh yah? EXIF can contain a thumbnail of the image, and it's often maintained even after the full image has been mucked with in photoshop. I recall a headshot that a pretty girl posted of herself on Craigslist, and though it had been cropped, the original uncropped thumbnail was still in the EXIF. Let's just say we got to see a bit more of the pretty girl than she intended. Woot! Likewise, that racy picture that you pixellated or added black bars to? The thumbnail didn't get those edits. Surprise! See the above sample taken from this site (examples are easy to find, but it's harder to find a "good" one that's nevertheless suitable for posting in a public forum). It's fun to investigate pictures with my brother's online EXIF viewer, which will show thumbnails if the EXIF contains them. This is a classic example of hidden metadata, and photographs are not immune; this makes it a security issue. Steve Wow this is something I did not know! so when you think you have blocked something out it still can be seen? is there a way to get rid of the thumbnails |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
edit:
August 5th, @08:15PM
| said by nfixit2004 :Wow this is something I did not know! so when you think you have blocked something out it still can be seen? is there a way to get rid of the thumbnails If you are really troubled about publishing the EXIF information (including the EXIF thumbnails), an excellent free program can be downloaded from »www.exifer.friedemann.info/ which can save, delete, and restore EXIF information (including the EXIF thumbnails) from JPEG and TIFF images.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Sentinel
Premium
join:2001-02-07
Florida | reply to nfixit2004
This is interesting and might help...
»netzreport.googlepages.com/hidde···les.html |
|
nfixit2004
Premium
join:2004-01-06
Brooklyn, NY
·Verizon Online DSL
| reply to NetFixer
said by NetFixer :said by nfixit2004 :Wow this is something I did not know! so when you think you have blocked something out it still can be seen? is there a way to get rid of the thumbnails If you are really troubled about publishing the EXIF information (including the EXIF thumbnails), an excellent free program can be downloaded from » www.exifer.friedemann.info/ which can save, delete, and restore EXIF information (including the EXIF thumbnails) from JPEG and TIFF images. thanks for your reply also thanks to Sentinel for the link also, my concern was what about when you post a pic and use a photo app to block out potentially private info(and everyone does this alot) it can still be seen through thumbnails, this is something that needs to be known. most people think(my self included(well until now)) once you use the paint brush tool you have lost the risk involved with posting certain pics.(not that everyone saves and opens up the thumbnails of every pic they see in an online forum). but it is something to know. also I think the makers of certain software apps( ex snagit) should pay attention to matters like this, and explain this to buyers
thanks again |
|
Sentinel
Premium
join:2001-02-07
Florida
·RoadRunner Cable
 ·CCLHosting
| Due to this topic I have been checking EXIF data using various apps for fun to see what I can find. Most is just useless camera info and I have not been able to find one thumbnail. Perhaps you have to have the program that was used to edit the pic in the first place?
I have been checking with Irfanview, default Windows picture viewer, Jasc PSP, and Nero image viewer. So far I haven't seen anything odd.
Until today. Today I found a pic that had a weird series of characters in an "artist comment" field. I could not decipher it. Irfanview would not show it, neither would PSP. But Nero showed a very long (35K) series of numbers. I don't know what it is but it is a very long series of numbers that are in pairs. Is that hex?
Anyways, I am going to keep trying to find an app that can decipher it. |
|
AmeritecTech
Change we can believe in, 1922
Premium
join:2002-09-06
00000 | If you want to post it, we can try various things.
35K?? Jesus. |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
edit:
August 7th, @09:43PM
| reply to Sentinel
said by Sentinel :Due to this topic I have been checking EXIF data using various apps for fun to see what I can find. Most is just useless camera info and I have not been able to find one thumbnail. Perhaps you have to have the program that was used to edit the pic in the first place? Try using Exifer, many image display/manipulation programs do not display the EXIF ID information properly and they create their own preview thumbnails rather than using the EXIF thumbnail.
The screen capture images below show Exifer displaying JPEG images both without and with EXIF information.
Exifer displaying image with no EXIF
Exifer displaying image with EXIF
EDIT: I may have to retract my support for the Exifer program. I just discovered a serious bug. The upper image in this post actually does contain valid EXIF data (including an EXIF thumbnail). It and and 45 other images from the same camera and flash card in that folder all have valid EXIF data, but Exifer does not display it.
I guess I am going to have to start looking for another EXIF editing program (which was primarily my purpose for using Exifer). 
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Sentinel
Premium
join:2001-02-07
Florida
·RoadRunner Cable
·CCLHosting
| Yeah, I tried that program with a few of my own pics to see if it displayed the thumbnail properly and it did not. It is an old program though (2002?) so maybe something newer might be better.
If you find anything let me know. I'd like to see it. |
|
JTM1051
MVM
join:2000-07-08
Moorpark, CA
edit:
August 9th, @07:29PM
| reply to NetFixer
said by NetFixer :... I guess I am going to have to start looking for another EXIF editing program (which was primarily my purpose for using Exifer). Have you looked at Opanda?
Have a free Opanda IEXIF Viewer and PowerExif, "a professional EXIF Editor".
Edit: Noticed that the way I wrote the post it may be misunderstood that both Opanda IEXIF Viewer and PowerExif are free--sorry the PowerExif is not free.
(Comma should have been after Opanda IEXIF Viewer, not PowerExif) |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| said by JTM1051 :Have you looked at Opanda? Have a free Opanda IEXIF Viewer and PowerExif, "a professional EXIF Editor".
Thanks for the tip, I will check it out.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Sentinel
Premium
join:2001-02-07
Florida
·RoadRunner Cable
·CCLHosting
| reply to Steve
OK, hate to keep bringing this up but ... it interested me so I kept playing around with it to try to see for real what kind of a threat this really could be be. Here it what I have come up with.
After playing around with numerous pics (my own and some from the web) I have found that yeah, there are sometimes thumbnails saved with the pic depending on camera and imaging software used. However, these images are usually very very small in size and *IF* there are there at all they are very very hard to enlarge. They get pixilated very quickly and practically unviewable.
So therefore they are of minimal value. I mean if someone crops a picture and crops out a hotel in the background or something then, yeah you would see that there is a building in the background, but if you try to enlarge it to see what building you won't be able to. If they black out the eyes with a black bar then yes, you *might* be able to see the thumbnail without the bar *BUT* it will be so small and pixilated that you will not be able to make out the face.
That said I found the aforementioned pics of the lady from TV that posted the pics that had thumbnails of her topless and I have no idea how whoever got those was able to make full size reproductions of the originals. Most programs will show the full pic in the thumbnail but it will be tiny and any attempt to enlarge it will result in a useless heavily pixilated image of a glob. I don't know how they were able to make such a large size unmasked pic *unless* she eventually posted the originals herself.
Am I missing something? |
|
NetFixer
Snarl for the camera please
Premium
join:2004-06-24
Murfreesboro, TN
·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
edit:
August 25th, @06:27PM
| The size and quality of the EXIF thumbnail can depend on the source and size of the original image. Some high resolution cameras will produce rather large thumbnails. The 1.2 megapixel (1280x960) image below is an EXIF thumbnail extracted from one of my slide duplication images. You may find it interesting that this thumbnail image also contains its own EXIF data including a 160x120 thumbnail image (also displayed below).
1280x960 thumbnail image
160x120 thumbnail image
EDIT: Here is the "original"* image from which the 1280x960 thumbnail was extracted.
* Actually this image was converted to JPEG format from a much larger TIFF image which was converted from the native RAF image format from which the 1280x960 thumbnail was extracted. I converted it to JPEG for easier (and more compatible) web page viewing.
2816x2120 "original" image
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Sentinel
Premium
join:2001-02-07
Florida
·RoadRunner Cable
·CCLHosting
| Wow. That's very interesting. I had no idea that different cameras could produce different size thumbnails. I will have to check that out. Thanks for that info NetFixer.
jaykaykay,
Obviously security has levels and this may rate low in most respects but higher in others depending on what kind of person you are, what you do for a living and what you use your pictures for.
This *could* be a problem for some depending on circumstances as has been already pointed out about the lady who worked at the TV station. More examples could obviously be shown. Imagine you crop a picture to cut someone out and then tell your spouse that that other person was not there? EXIF thumbnail could show you to be liar and could be admissible in court at your divorce hearing
We could go on with hundreds of such examples. If you were sending an email and it had some code in it that was potentially descriptive you would want a way to clean it. I see this as similar. Just depends on situation and circumstances whether this is just aparlor trick or potentially harmful. |
|
BandHeight
join:2004-08-30
Portland, TX
| reply to NetFixer
said by NetFixer :said by JTM1051 :Have you looked at Opanda? Have a free Opanda IEXIF Viewer and PowerExif, "a professional EXIF Editor". Thanks for the tip, I will check it out. You might want to check into ExifTool (command line tool):
»www.sno.phy.queensu.ca/~phil/exiftool/
I consider it the ultimate ... so I'd be interested in whether the thumbnail metadata that slipped by Exifer also gets by ExifTool (I doubt it ).
It will require some reading of the docs to get the most out of it, but it can be simple to use as well. Works great for me on Linux and Windows, and works on Mac as well, though I haven't tried the Mac version. |
|
