Cryptographic signatures are something we should have been normalizing for awhile now.
I remember during the LTT Linux challenge, at one point they were assigned the task “sign a PDF.” Linus interpreted this as PGP sign the document, which apparently Okular can do but he didn’t have any credentials set up. Luke used some online tool to photoshop an image of his handwriting into the document.
The NFTs tried to solve this problem already and it didn’t work. You can change the hash/sig of a video file by just changing one pixel on one frame, meaning you just tricked the computer, not the people who use it.
so try again?
also: if a pixel changes then it isn’t the original source video, by definition. being able to determine that it has been altered is entirely the point.
The point was to sign AI footage so you know what’s fake. NFTs can be used as a decentralized repository of signatures. You could realistically require the companies to participate, but the idea doesn’t work because you can edit footage so it doesn’t match the signature. More robust signatures exist, but none is good enough, especially since the repo would have to be public.
Signing real footage makes even less sense. You’d have to trust everybody and their uncle’s signature.
What would that solve? NFTs don’t have to be powerhungry proof of work, that was just for the monkeys. The public ledger part of this is not the problem.
How does that answer my question, how do NFTs help an organization prove that a key belongs to them?
NFTs and blockchains are an entirely virtual construct that can’t affect the real world, or take trusted, non-key inputs from the real world. That’s not 100% true, but it is mostly true.
So really, you need a way to tie or bind a key to an identity or organization. You could perhaps sign some data, such as a domain name with a key on a chain, but that doesn’t prove anything. Anyone could sign anything with any key, so you need to approach the problem from the other direction.
You can install the key directly, or the hash of the key into DNS, verifiers can retrieve the key from DNS, then resolve it to the full key if necessary. You can then use the key to verify signatures of signed data.
Why DNS? Because that is currently the most standard way to identify organizations on the internet. Also, much of the security of the internet is directly bound to DNS. For example, getting certificates for websites often entails changing a DNS record at the request of an issuer to prove that you own the domain in question.
This is not an idea I invented just now, there are multiple DNS record types that have been defined for literally decades at this point which allow an organization to publish keys to DNS. Among the first is this: https://www.rfc-editor.org/rfc/rfc2535#section-3 Not completely related, but it is a key of some kind published to DNS.
I don’t think NFTs provide any useful functionality in helping organizations prove that a key is theirs, at least nothing much better than a simpler solution which already exists.
i think the point is to be able to say “this video was released by X, and X signed it so they must have released it, and you can validate that yourself”.
it means if you see a logo that shows CNN, and its signed by CNN, then you know for sure that CNN released it. As a news organisation they should have their own due diligence about sources etc, but they can at least be held to account at that point.
versus random ai generated video with a fake logo and fake attribution that is going viral and not being able to be discredited in time before it becomes truth.
Why not link to the original CNN source then, if you want to be trusted? You’d have to do that anyways if you want to use the CNN footage in your own video.
I don’t think people who care about the validity of a news video will be helped much with this, and people who don’t care about the truth can easily ignore it too.
As a news organisation they should have their own due diligence about sources etc
But what if they can’t anymore? News orgs don’t only show video that they recorded. They have videos from freelance reporters, people who were at an event, government orgs, other news orgs in other countries…
sure, totally ok to incorporate those video items & publish your (signed) story. i think we’ve seen pretty clesrly that people want to publish and be recognised for their publications.
building a web of trust has to start somewhere.
currently we’re in the “its all very difficult, we cant solve all the tricky things, so we’re not even trying” stage.
hopefully we find a way to move forward, even if its not perfect.
videos need to be cryptographically signed and able to be verified. all news outlets should do this.
Cryptographic signatures are something we should have been normalizing for awhile now.
I remember during the LTT Linux challenge, at one point they were assigned the task “sign a PDF.” Linus interpreted this as PGP sign the document, which apparently Okular can do but he didn’t have any credentials set up. Luke used some online tool to photoshop an image of his handwriting into the document.
deleted by creator
agreed. having a cryptography mark on the file and relying on chain of trust is the way.
The NFTs tried to solve this problem already and it didn’t work. You can change the hash/sig of a video file by just changing one pixel on one frame, meaning you just tricked the computer, not the people who use it.
By changing one pixel it’s no longer signed by the original author. What are you trying to say?
Exactly that, if I change a pixel then the cryptographic signature breaks
so try again? also: if a pixel changes then it isn’t the original source video, by definition. being able to determine that it has been altered is entirely the point.
The point was to sign AI footage so you know what’s fake. NFTs can be used as a decentralized repository of signatures. You could realistically require the companies to participate, but the idea doesn’t work because you can edit footage so it doesn’t match the signature. More robust signatures exist, but none is good enough, especially since the repo would have to be public.
Signing real footage makes even less sense. You’d have to trust everybody and their uncle’s signature.
The signing keys could be published to DNS, for better or worse.
What would that solve? NFTs don’t have to be powerhungry proof of work, that was just for the monkeys. The public ledger part of this is not the problem.
How can an organization prove that a given key is theirs using NFTs?
A digital signature works with public/private keys and content hashes. This is a solved problem.
In fact, it’s part of secure DNS.
How does that answer my question, how do NFTs help an organization prove that a key belongs to them?
NFTs and blockchains are an entirely virtual construct that can’t affect the real world, or take trusted, non-key inputs from the real world. That’s not 100% true, but it is mostly true.
So really, you need a way to tie or bind a key to an identity or organization. You could perhaps sign some data, such as a domain name with a key on a chain, but that doesn’t prove anything. Anyone could sign anything with any key, so you need to approach the problem from the other direction.
You can install the key directly, or the hash of the key into DNS, verifiers can retrieve the key from DNS, then resolve it to the full key if necessary. You can then use the key to verify signatures of signed data.
Why DNS? Because that is currently the most standard way to identify organizations on the internet. Also, much of the security of the internet is directly bound to DNS. For example, getting certificates for websites often entails changing a DNS record at the request of an issuer to prove that you own the domain in question.
This is not an idea I invented just now, there are multiple DNS record types that have been defined for literally decades at this point which allow an organization to publish keys to DNS. Among the first is this: https://www.rfc-editor.org/rfc/rfc2535#section-3 Not completely related, but it is a key of some kind published to DNS.
I don’t think NFTs provide any useful functionality in helping organizations prove that a key is theirs, at least nothing much better than a simpler solution which already exists.
That’s not really feasible without phones doing this automatically.
Even then didn’t the first Trump admin already argue iPhone video can’t be trusted because it’s modified with AI filters?
… so make the phones do it?
i mean, its not rocket surgery.
Sign every video automatically? Sounds like chatcontrol all over.
Also, I could just generate a video on my computer and film it with my phone. Now it’s signed, even has phone artifacts for added realism.
i think the point is to be able to say “this video was released by X, and X signed it so they must have released it, and you can validate that yourself”. it means if you see a logo that shows CNN, and its signed by CNN, then you know for sure that CNN released it. As a news organisation they should have their own due diligence about sources etc, but they can at least be held to account at that point. versus random ai generated video with a fake logo and fake attribution that is going viral and not being able to be discredited in time before it becomes truth.
Why not link to the original CNN source then, if you want to be trusted? You’d have to do that anyways if you want to use the CNN footage in your own video.
I don’t think people who care about the validity of a news video will be helped much with this, and people who don’t care about the truth can easily ignore it too.
But what if they can’t anymore? News orgs don’t only show video that they recorded. They have videos from freelance reporters, people who were at an event, government orgs, other news orgs in other countries…
sure, totally ok to incorporate those video items & publish your (signed) story. i think we’ve seen pretty clesrly that people want to publish and be recognised for their publications. building a web of trust has to start somewhere. currently we’re in the “its all very difficult, we cant solve all the tricky things, so we’re not even trying” stage. hopefully we find a way to move forward, even if its not perfect.
How would that work? Why would you have any reason to trust me in this chain?