Deepfakes are easy to produce and increasingly difficult to identify. Innocuous examples like @deeptomcruise on TikTok demonstrate how far the technology has come.
This is not Tom Cruise.
A poorly implemented however far more dangerous example was the recent deepfake of Ukrainian President Zelensky.
Tools for creating deepfakes are easily available. Anyone with $15USD and a video of their target can produce realistic deepfakes using paid services.
Platforms like Twitter have used a verification mechanism to ensure content comes from legitimate sources. However the 2020 hacking of multiple verified Twitter accounts demonstrates the vulnerability of relying on a platform for verification.
Social media platforms have also proven themselves unable or unwilling to stop misinformation. Misinformation is profitable. Trust needs to be independent of platforms.
Tools exist to solve the problem of trust on the Internet. Public-key cryptography is a mathematically complex but conceptually simple system to authenticate content. With public-key cryptography the content producer has two keys, a private-key and public-key. The private-key should be known only by the content producer. The public-key, as the name implies, can be shared freely.
A message, such as a social media post, can be signed using the private-key and verified by anyone holding the associated public-key. The message can be trusted as originating from the owner of the private-key (as long as the private-key remains private and there are no other vulnerabilities in the particular public-key cryptography implementation).
Deepfakes and legitimate looking misinformation will continue to become more convincing. Self verification needs to be implemented by politicians, government agencies, NGOs, news media, and any other entity with important trusted information to share.
My tweets, Reddit posts, and blog posts are now all self verified. Technical implementation below.
The GNU Privacy Guard (GPG) is a complete and free implementation of the OpenPGP standard as defined by RFC4880. My content is signed using GPG. My public-key is stored on my website which is cached by Google & wayback machine. My public-key is also stored on a blockchain gregology.crypto (requires browser extension) so that an immutable record of my public-key exists.
Twitter has a 280 character limit. An OpenPGP signature stored as text would require a minimum of 4 tweets. Instead I store my tweet signatures as a QR code and attach them as an image. Here is a script I use to create QR signatures of messages.
#!/bin/bash# Generate QR code signature# Installation: brew install qrencode# Usage: $ qr_sign "my message to sign"echo$1 | gpg --clear-sign> msg.asc
qrencode -s 6 -l H -o"qr_signature.png" < msg.asc
open qr_signature.png
rm msg.asc
sleep 3
rm qr_signature.png
On Reddit I post my OpenPGP signature as a comment. This is a script I use to extract the content of my post, sign the content, and format a code block.
#!/bin/bash# Sign Reddit post# Installation: brew install jq# Usage: $ sign https://www.reddit.com/r/byok/comments/t2r9lg/public_key/
curl -A"r/byok post signing"-s$1.json | jq -r'.[0].data.children[0].data | .title, .selftext, .author, .permalink'>| post.txt
echo$1
gpg --clear-sign-a post.txt
cat post.txt.asc | while read line;do echo" $line";done
echo'Find my public key as a pinned post on my profile.'echo''echo'See the Bring Your Own Key sub to sign your own post r/byok'rm post.txt
rm post.txt.asc
My website runs on Jekyll served on GitHub Pages. All of my posts are signed and include instructions to verify content. In fact, my site won’t compile if any posts are missing an associated signature. This is the script I use to generate the signatures.
#!/bin/bash# Signs all postsfor file in _posts/*.md
do
if[-f"$file.asc"];then
echo"$file is already signed"else
echo"signing $file"
gpg --clear-sign-a"$file"fi
done
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- ---
title: "Trust & deepfakes"
author: Greg
layout: post
permalink: /2022/03/trust/
date: 2022-03-24 10:00:00 -0400
comments: True
licence: Creative Commons
categories:
- tech
tags:
- deepfakes
- GPG
- PGP
- ---
Information without trust is worthless.
Deepfakes are easy to produce and increasingly difficult to identify. Innocuous examples like [@deeptomcruise](https://www.tiktok.com/@deeptomcruise) on TikTok demonstrate how far the technology has come.
This is not Tom Cruise.
A poorly implemented however far more dangerous example was the recent deepfake of Ukrainian President Zelensky.
Tools for creating deepfakes are easily available. Anyone with $15USD and a video of their target can produce realistic deepfakes using [paid services](https://deepfakesweb.com/).
Platforms like Twitter have used a verification mechanism to ensure content comes from legitimate sources. However the [2020 hacking of multiple verified Twitter accounts](https://www.reuters.com/article/us-twitter-cyber-idUSKCN24G32Q) demonstrates the vulnerability of relying on a platform for verification.
Social media platforms have also proven themselves unable or unwilling to stop misinformation. [Misinformation is profitable](https://www.reuters.com/technology/facebook-whistleblower-reveals-identity-ahead-senate-hearing-2021-10-03/). Trust needs to be independent of platforms.
Tools exist to solve the problem of trust on the Internet. Public-key cryptography is a mathematically complex but conceptually simple system to authenticate content. With public-key cryptography the content producer has two keys, a private-key and public-key. The private-key should be known only by the content producer. The public-key, as the name implies, can be shared freely.
A message, such as a social media post, can be signed using the private-key and verified by anyone holding the associated public-key. The message can be trusted as originating from the owner of the private-key (as long as the private-key remains private and there are no other vulnerabilities in the particular public-key cryptography implementation).
Deepfakes and legitimate looking misinformation will continue to become more convincing. Self verification needs to be implemented by politicians, government agencies, NGOs, news media, and any other entity with important trusted information to share.
My tweets, Reddit posts, and blog posts are now all self verified. Technical implementation below.
[The GNU Privacy Guard (GPG)](https://www.gnupg.org/) is a complete and free implementation of the OpenPGP standard as defined by [RFC4880](https://www.ietf.org/rfc/rfc4880.txt). My content is signed using GPG. My public-key is stored on [my website](/secure/) which is cached by Google & wayback machine. My public-key is also stored on a blockchain [gregology.crypto](https://gregology.crypto/) ([requires browser extension](https://unstoppabledomains.com/extension)) so that an immutable record of my public-key exists.
Twitter has a 280 character limit. An OpenPGP signature stored as text would require a minimum of 4 tweets. Instead I store my tweet signatures as a QR code and attach them as an image. Here is a script I use to create QR signatures of messages.
```bash
#!/bin/bash
# Generate QR code signature
# Installation: brew install qrencode
# Usage: $ qr_sign "my message to sign"
echo $1 | gpg --clear-sign > msg.asc
qrencode -s 6 -l H -o "qr_signature.png" < msg.asc
open qr_signature.png
rm msg.asc
sleep 3
rm qr_signature.png
```
On Reddit I post my OpenPGP signature as a comment. This is a script I use to extract the content of my post, sign the content, and format a code block.
```bash
#!/bin/bash
# Sign Reddit post
# Installation: brew install jq
# Usage: $ sign https://www.reddit.com/r/byok/comments/t2r9lg/public_key/
curl -A "r/byok post signing" -s $1.json | jq -r '.[0].data.children[0].data | .title, .selftext, .author, .permalink' >| post.txt
echo $1
gpg --clear-sign -a post.txt
cat post.txt.asc | while read line; do echo " $line"; done
echo 'Find my public key as a pinned post on my profile.'
echo ''
echo 'See the Bring Your Own Key sub to sign your own post r/byok'
rm post.txt
rm post.txt.asc
```
My website runs on Jekyll served on GitHub Pages. All of my posts are signed and include instructions to verify content. In fact, my site won't compile if any posts are missing an associated signature. This is the script I use to generate the signatures.
```bash
#!/bin/bash
# Signs all posts
for file in _posts/*.md
do
if [ -f "$file.asc" ]; then
echo "$file is already signed"
else
echo "signing $file"
gpg --clear-sign -a "$file"
fi
done
```
and the associated [_includes/signature.html](https://github.com/gregology/gregology.github.io/blob/master/_includes/signature.html).
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEESYClA57JitMYg1JBb8nUVLEJtZ8FAmK3D34ACgkQb8nUVLEJ
tZ9JNBAAvzBMyiYPobB7YWx0R6O0rQ89ABjBThN3gAoAsfLHQ9nBr1v2ySYCqqij
e8IboR9KIwauvZOM2V/A8LWmrDJIvFZFP59vAoOUEzsYf7O72NebONk9MhHSFaFL
lY45O8nMnUHwP2+NiOUwxz/3XPpNPsHJp1q7wzkubfJcUDfjGBwE+/K0Hcvr0VSd
mutB4+LqlotjHJc+rLIofiTjDIPvOjn0I3sJNBWdb1bzuufQLL4Mmvx/54ukM0F/
tG8isNRdePShR1CZ/oqHXGaJUziCyHC63meuyauyi8YB1b9yu7NI1C96ga2HfQwe
Qo9GjJMtuvmp+k54uc2vQ8600sUHZwx+LkW8qS8SfJxs2VoAGblI+IbkgyfuZdoG
gi+SYyd+2oMGD4PnYsDuzCI1Y5pvpU3tuDLlrsQM2uwlTcv40L3q618Bmty5qAbS
pHhkQ1KJS6YD64yjV+/SWWuMINHTOV+MVGknfh/4wTndqBZk2dKcmyTFF12uODbi
y78ptGKLwLgw+iV9VuKXGMDoC2u0hkxYKAje5Ngcy9P8bdP4XjfLHXmrBesEyTC4
ySB7XDqMfRxnkIKhKmTTjPXfJbQQXZPzSrbbWy9QcExfx4xylk09cNRnXHFwmM31
78UnYj7GuM3AsFPP9VgpNeJpX0xRZiu6+m0XRgbsUQ9YAKt1mHE=
=l5q6
-----END PGP SIGNATURE-----