[sbszllr]

Source: I work in the field.

This is a current limitation, and an artifact of the data+method but not something that should be relied upon.

If we do some adversary modelling, we can find two ways to work around this:

1) actively generate and search for such data; perhaps expensive for small actors but not well equipped malicious ones.

2) wait for deep learning to catch up, e.g. by extending NERFs (neural radiance fields) to faces; matter of time.

Now, if your company/government is on the bleeding edge of ML-based deception, they can have such policy, and they will update it 12-18-24 months (or whenever (1) or (2) materialises). However, I don't know one organisation that doesn't have some outdated security guideline that they cling to, e.g. old school password rules and rotations.

Will "turning sideways to spot a deepfake" be a valid test in 5 years? Prolly no, so don't base your secops around this.

[Strom]

> This is a current limitation

The thing with any AI/ML tech is that current limitations are always underplayed by proponents. Self-driving cars will come out next year, every year.

I'd say that until the tech actually exists, this is a great way to detect live deepfakes. Not using the technique just because maybe sometime in the future it won't work isn't very sound.

For an extreme opponent you may need additional steps. So this sideways trick probably isn't enough for CIA or whatnot, but that's about as fringe as you can get and very little generic advice applies anyway.

[technothrasher]

It sounded to me like the parent poster wasn't saying not to use it, but simply that it cannot be relied upon. In other words, a deepfake could fail a 'turn sideways' test and that would be useful, but you shouldn't rely on a 'passing' test.

[kbenson]

Another way to think of it might be that it can be relied on - until it can't. Be ready and wary of that happening, but until then you have what's probably a good mitigation of the problem.

[hosh]

I think the concern is complacency, and the inertia that existing security practices leads to security gaps in the future. "However, I don't know one organisation that doesn't have some outdated security guideline that they cling to, e.g. old school password rules and rotations."

Or put another way, humans can't be ready and wary, constantly and indefinitely. At some point, fatigue sets in. People move in and out of the organization. Periodic reviews of security practices don't always catch everything. Why something was implemented was forgotten by institutional memory. And then there's the cost for retraining people.

[kbenson]

The flip side of that is people feeling/assuming there's nothing they can really do with the resources they have therefore they choose to do nothing.

Also, those that are actively using mitigations that are going to be outdated at some point are probably far more likely to be aware of how close they are to being outdated by encountering more ambiguous cases, as seeing the state of the art progress right in front of them.

As for people sticking to outdated security practices? That's a problem of people and organizations being introspective and examining themselves, and is not linked to any one thing. We all have that problem to a lesser or greater degree in all aspects of what we do, so either you have systems in place to mitigate it or you don't.

[hosh]

Therefore, developing and customizing a proper framework for security and privacy starts by accurately assessing statutory, regulatory, and contractual obligations, and the organization's appetite for risks in balance with the organization's mission and vision, before developing the policies and and specific practices that organizational members should be doing.

To use a Go (the game, not the language) metaphor, skilled players always assess the whole board rather than automatically make a local move in response to a local threat. What's right for one organization is not going to be right for another. Asking the caller to turn sideways to protect against deepfakes should be considered within the organization's own framework, along with the various risks involved with deepfakes, and many other risks aside from deep fake video calls.

[Sakos]

How do you find out that it doesn't work?

[williamscales]

Exactly. Even the article gave a couple cases of convincing profile deepfakes. Admittedly they’re exceptional cases, but in general progress tends to be made.

[TomK32]

The self driving car of next year arrives just in time for the Iranian atomic bomb :-D which is ready in two years for about as long as I'm around. https://www.theatlantic.com/international/archive/2015/04/ir...

If all the money on self driving cars would have been put into public transport (driverless on rails is a solved issue) and pushing shared car ownership instead, we might actually get somewhere towards congestion-free cities.

[eru]

We can already have congestion free-cities today, no new technology nor public transport required. We had the technology for quite a while now: congestion charging.

It works really well in Singapore to control congestion, and also worked well in London when they adopted it afterwards.

Public transport also works quite well in many places around the world.

It also used to work really well in North America in the past. A past when the continent was much poorer. (I'm mostly talking about USA plus Canada here.)

Public transport only works when after you step off the bus or train, you can get to your destination on foot. Density is outlawed in much of the USA and Canada.

https://www.youtube.com/watch?v=MnyeRlMsTgI&t=416s starts a good section about Fake London, Ontario. At great expense, they built a new train line. But approximately no one uses it, because you can't get anywhere when leaving the stations. The video shows an example of a station where the closest other building is about 150m away. And that's just a single building. The next ones are even further.

Land use restrictions and minimum parking requirements are a major roadblock. And just throwing money at public transit directly won't solve those.

Shared car ownership is an interesting idea. Uber can be seen as one implementation of this concept. It can be done profitably, but I'm not sure it has much impact on the shape of cities?

In the grand scheme of things, there's not much money being put into self-driving cars so far. A quick Googling gives a Forbes article that suggests about 200 billion USD.

[Nowado]

In terms of this particular tech previous obvious limitation, namely no blinking, worked for something like a quarter from discovery.

Venn diagram of people who someone wants to trick by this particular tech, those who read any security guidelines and those worthy of applying this kind of approach to in the first place is however pretty narrow for the foreseeable future. It's more of a narrative framing device to talk about 'what to do to uncover deepfake video call' as a way to present interesting current tech limitations - not that I particularly mind it.

[anticristi]

Exactly! Our SecOps includes seeing people regularly. Until deep fakes can fake accents, tone, body language and jokes, we're safe. :)

[jksmith]

This may be like a proof of work cryptography issue, except the burden of work is on the deep fake. Just ask a battery of questions, just like out of a Bladerunner scene or whatever. This is still the problem with AI. It depends on tons of datasets and connectivity. Human data and human code are kind of the same. Even individually, we can start with jackshit and still come up with an answer, whether right or wrong. Ah, Lisp.

[owl57]

> Self-driving cars will come out next year, every year.

"Come out" could mean different things in different contexts. Deepfake defence context is analogous to something like: there are cars on public roads with no driver at the wheel. And this is already true in multiple places in the world.

[verdverm]

Waymo in Arizona is an example

[iancmceachern]

I think it's odd we don't think of other limitations of products the same way. Put another way, why don't we just say it can't do it.

Example, we don't say a jet ski has a current speed limitation of 80 mph, we say it can go 80, but not 81. It's a simple fact. No promise that it will be faster tomorrow, because that's not what it is, it's not its future self.

It's like they're combining startup it will always be better after you invest more money with the reality of what "is" means.

[sean2]

One thing that I haven't seen mentioned is that many of the recent articles I've seen misuse the phrase "deep fake" and usually mean "face-swap algorithm" or "look-alike". The former, I believe has been able to defeat this test for 10 years at least and the latter has always been able defeat this trick.

[fsckboy]

> The thing with any AI/ML tech is that current limitations are always underplayed by proponents

if you don't worry about deepfakes, ok. But if you worry about deepfakes, you should not be reassured that this glitch is going to save you.

I'm not a proponent, just think your argument in this context doesn't work.

[make3]

Self-driving cars are a million times harder than this, this is a terrible comparison.

Getting a model to work with images turned sideways is a few lines of code (just turn image sideways at training time).

[kreeben]

>> images turned sideways

Instead of pictures of faces, now they're just vertical lines.

[sigg3]

The technique can in principle be defeated today so it should not be employed as a single test, but rather another arrow in the quiver.

[pclmulqdq]

The only person who is promising self driving cars next year (and has done so every year for the past 5 years) is Elon Musk. Most respectable self-driving car companies are both further along than Tesla and more realistic about their timelines.

[Strom]

Let's take a look at some of those realistic timelines. A quick googling gave me a very helpful listicle by VentureBeat from 2017, titled Self-driving car timeline for 11 top automakers. [1]

Some examples:

Ford - Level 4 vehicle in 2021, no gas pedal, no steering wheel, and the passenger will never need to take control of the vehicle in a predefined area.

Honda - production vehicles with automated driving capabilities on highways sometime around 2020

Toyta - Self-driving on the highway by 2020

Renault-Nissan - 2020 for the autonomous car in urban conditions, probably 2025 for the driverless car

Volvo - It’s our ambition to have a car that can drive fully autonomously on the highway by 2021.

Hyundai - We are targeting for the highway in 2020 and urban driving in 2030.

Daimler - large-scale commercial production to take off between 2020 and 2025

BMW - highly and fully automated driving into series production by 2021

Tesla - End of 2017

It certainly wasn't just Tesla who was promising self-driving cars any second now. Tesla was definitely the most agressive, but failed to meet its goals just like every other manufacturer.

--

[1] https://venturebeat.com/2017/06/04/self-driving-car-timeline...

[ghaff]

There was definitely a period when everyone (for certain values of same) felt they needed to get into a game of topper with increasingly outlandish claims. Because if they didn't people on, say, forums like this one (and more importantly the stock market) would see them as hopelessly behind.

[throwawaylinux]

Wow they all really got suckered by the AI grifters didn't they?

[anticristi]

Self-driving cars are common in Europe for decades. We just use the less cool term "subway" for them.

Sorry, I couldn't resist. :)

[deaddodo]

Subways are common worldwide.

In fact, the first (practical) one was in Boston; not in Europe.

Sorry, I couldn't resist. ;)

[biztos]

London and Budapest had subways before Boston did. So did some other cities depending on which list you look at.

So what made Boston’s later entry the first “practical” one?

[Edit] Or do you mean self-driving subways? Does Boston have one already? A quick Googling suggests the opposite:

https://whdh.com/news/mbta-officials-considering-self-drivin...

[shubb]

Sure, but are they self driving?

A number of european capitals seem to have managed to do driverless high capacity underground trains. Here in the UK, we've got a number of automated trains but for union reasons they still have drivers in the cab who press go at each station.

In the US, it looks like Detroit has a self driving line, and there are a bunch of airport shuttles. Presumably you are hitting the same union issues as us?

[panny]

Let's not dismiss the point that self-driving cars are the "stone soup" of machine learning industry. Like the monk who claimed he could make soup with just a stone, machine learning claimed that with two cameras, two microphones, and steering/brake/accelerator control, a machine would someday soon drive just like a human can with that hardware equivalent.

Then it turned out well, we actually need a lot more cameras. Now we need high res microphones. Now we need magnets embedded in the road. Now we need highly accurate GPS maps. Now we need high power LIDAR that damages other cameras on the road. Now we need....

Each little ingredient in the soup "made only with a stone." Machine learning has utterly failed to deliver on this original promise of learning to operate a vehicle like a person, with no more sensors than a person.

[hutzlibu]

"Machine learning has utterly failed to deliver on this original promise of learning to operate a vehicle like a person, with no more sensors than a person."

I am not aware of anyone except Musk making that claim. "Machine learning" as in the statements of the main researchers, certainly did not promise anything like it.

[Gigachad]

The problem for self driving cars is the risk tolerance. No one cares if a deep fake tool fails once every 100,000 hours because it results in a sub standard video instead of someone dying.

[kortex]

What about reflections? When I worked on media forensics, the reflection discrepancy detector worked extremely well, but was very situational, as pictures were not guaranteed to have enough of a reflection to analyze.

Asking the subject to hold up a mirror and move it around pushes the matte and inpainting problems to a whole nother level (though it may require automated analysis to detect the discrepancies).

I think that too might be spoofable given enough time and data. Maybe we could have complex optical trains (reflection, distortion, chromatic aberration), possibly even one that modulates in real time...this kind of just devolves into a Byzantine generals problem. Data coming from an untrusted pipe just fundamentally isn't trustable.

[WalterBright]

I wonder how good the deepfake would be for things it didn't have training data on. For example, making an extreme grimace. Or have the caller insert a ping pong ball in his cheek to continue, or pull his face with his fingers.

One thing I notice with colorized movies is the color of the actor's teeth tends to flicker between grey and ivory. I wonder if there are similar artifacts with deep fakes.

[antihero]

Years and years of having to do increasingly more insane things to log into banking apps until we’re fully doing karaoke in our living rooms or stripping nude to reveal our brand tattoos

[notahacker]

Plenty of new content for the banks' TikTok followers to enjoy :D

[bgro]

Please drink a verification can to continue, caller.

[robocat]

Meme written in 2013(?), set in 2018, playing Halo 2k19: https://gamefaqs.gamespot.com/boards/632877-halo-4/66477630 meme branch of https://knowyourmeme.com/memes/doritos-mountain-dew

[Gigachad]

If I remember correctly, the context was that Microsoft had made the Kinect mandatory for the Xbox One which wouldn't function without it. And the Kinect was being used for some silly voice/motion control crap.

The extreme reaction and copypastas like this probably lead to microsoft scrapping that idea a few years later.

[scyzoryk_xyz]

A can of Ubik please

[ErikCorry]

"Please put one finger behind each ear and flap them at me."

[anticristi]

I had to laugh with tears at this one. :)

[pcrh]

Shoe on head?

[pooper]

This was my first thought. Ask the person to turn sideways and then put a shoe on their head. Or put a shoe on their head and then turn sideways.

[SoftTalker]

Last time I applied for a credit card online, they asked me to take a video of myself and turn my head from side to side.

[nanomonkey]

This sounds like a great way to get sufficient images/video of you to create a deepfake that could pass this test. Hmmm...

[oconnor663]

New mandatory security rule: Employees must never turn their heads side to side in a meeting.

[mirkules]

Microsoft Teams developed a feature when if you’re using a background and turn sideways, your nose and the back of your head are automatically cut off.

Bug closed, no longer an issue, overcome by events.

[cratermoon]

Interesting that you bring that up. The most egregiously invasive student and employee monitoring software requires that the subject always face the camera. That seems most ripe for bypassing with the current state of deepfakes. https://www.wired.com/story/student-monitoring-software-priv...

[throwaway284534]

I work as a Digital Gardener[1] and we’re trained to NEVER use our real name.

- [1] https://youtu.be/XQLdhVpLBVE

[Gigachad]

My bank does a much better system where they ask for a photo of you holding your ID and a bit of paper with a number the support person gave you for authorizing larger transactions. It's still not bullet proof but since you already have to be logged in to the app to do this, I'd say it is sufficient.

[throwaway2037]

Interesting anecdata! Do you think the photo is authenticated/validated automatically (by software), or by a human, or combination (assistance)?

And, if you are willing to share, what country/bank?

[Gigachad]

This case I was on the bank text support requesting to make a transaction of $100,000 in one go which the app would not let me do. So it was a real person on the other side. Bank was in Australia called Up.

[techdragon]

This sounds like a good thing. An extra step in a $100,000 transaction to prevent accidents or crimes definitely feels justified if the accounts not marked as normally moving heaps of money like a billionaire or something.

[spurgu]

Yeah this is quite common with fintech (stock brokers and crypto IME) KYC nowadays I've noticed.

[sockaddr]

May I ask what card/Institution? This would be an immediate no for me.

[reaperducer]

I'd trust the data with a (real, not online) bank more than most other companies like Google.

I'd be more worried about people hacking into networked security camera DVRs at stores and cafes and extracting image data from there. Multiple angles. Movement. Some are very high resolution these days. Sometimes they're mounted right on the POS, in your face. Sometimes they're actually in the top bezel of the beverage coolers.

Banks are the hardest way to get this data, not the easiest one.

[rapind]

> Banks are the hardest way to get this data, not the easiest one.

Is this statement based on data or a hunch? A quick google turns up a lot of bank data breaches.

[reaperducer]

A quick google turns up a lot of bank data breaches.

Because banks have to report data breaches. Do you think every neighborhood Gas-N-Blow is publicizing, or even knows, that it's been hacked?

[rapind]

Good point. I’m still wary of just assuming (if that’s what we’re doing here?) that old established organizations you’d expect to be secure are in fact secure. For example I would have expected credit rating agencies to be secure…

Mandatory reporting certainly helps IMO. Reporting should be mandatory for anyone handling PII.

[kevin_thibedeau]

No bank is going to run such a system in house. It will be a contracted service whose data is one breach away from giving fraudsters a firehose of data to exploit their victims.

[monksy]

You would? You would trust a random number to call you and talk to you about your bank account?

(That's what Chase's fraud department tells you to do.. no joke)

[mulmen]

"I trust you more than Google" is a pretty low bar in terms of personal data.

[monksy]

I want to know so that I can forward this to lawyers that specialize in biometric privacy law (in IL).

Fuck these biometeric data farmers.

[april_22]

Yes I believe this sideways turning thing is mandatory when doing online identifications

[marssaxman]

What is an "online identification"? In what context would such a thing occur?

[golemotron]

And now that scan could eventually end up out there someplace.

[sroussey]

Agreed. Now they have the data to deep fake you turning your head.

I hope they delete the data immediately after use.

[notahacker]

Frankly, of all the personally identifying data I share with my bank, a low resolution phone video of the side of my head is the least worrying. It's like worrying the government knows my mum's maiden name!

In the eventuality that robust deepfake technology to provide fluid real-time animation of my head from limited data sources exists and someone actually wants to use it against me, they can probably find video content involving the side of my head from some freely available social network anyway.

[tacocataco]

I've been looking to rent housing and get a new job the last few months. The amount of info I've sent strangers always worries me.

At least with housing they don't ask me to input the information I've already sent them into their crappy website.

[SoftTalker]

And, if deepfake technology becomes so easy to use, video of your face will no longer serve to identify you.

[Philadelphia]

The implementation I’ve seen only stores a hash based on the image analysis

[cpach]

As far as I can see, secops is an eternal cat-and-mouse game.

[devteambravo]

Some see secops as futile until the tools are here. So we're making those tools instead.

[guerrilla]

Literally an arms race.

[HPsquared]

Face race?

[Scoundreller]

job security

[cpach]

Indeed (:

[wildmanx]

It saddens me how many smart people are working in such an unethical field.

[simonswords82]

Interesting to bump in to somebody that works in this field.

What do you do in this field?

What's the direction of travel on it?

What makes it worth pursuing at a commercial level? In other words - how is this tech going to be abused/monetized?

[stcredzero]

1) actively generate and search for such data

What about doing a bunch of video calls, and asking for callers to show their profile, "to guard against deepfakes?"

[dheera]

The other thing is, why is this even important, when you shouldn't be basing decisions off the other person's race or face in general?

Base everything off the work they do, not how they look. Embracing deepfakes is accepting that you don't discriminate on appearances.

Hell, everyone should systematically deepfake themselves into white males for interviews so that there is assured to be zero racial/gender bias in the interview process.

[neximo64]

But currently, it's pretty much a guarantee that you can pick out a deepfake with this method as there is no way for current methods to account for it that are in use.

As with any interaction with more than one adversary, there is an infinite escalation and evolution with time. And similarly then something will come up then that is unaccounted for and so on, and so on.

[bushbaba]

Asking for entropy that’s easy for a real human to comply with and difficult for a prebuilt AI is at least a short term measure. Such-as show me the back of your head sideways then go from head to feet without cutting the feed.

Easy for a human, difficult for ML/AI

[dylan604]

>Will "turning sideways to spot a deepfake" be a valid test in 5 years? Prolly no, so don't base your secops around this.

We'll just ask them to do "the Linda Blair". If they can turn their head 360 degrees, prolly a deepfake ;P

[mrandish]

> so don't base your secops around this.

If it's a high-threat context I don't think live video should be relied on regardless of deep fakes. Bribing or coercing the person is always an alternative when the stakes are high.

[hugobitola]

What if the real person draws something on his face? Does the deepfake algorithm removes it from the resulting image? Can you ask the caller to draw a line on his face with a pen as a test?

[drdec]

> Can you ask the caller to draw a line on his face with a pen as a test?

I think if the caller did this without objection that would be a bigger indication that it is a deep fake than the alternative. What real person is going to comply with this?

[tmm84]

I was thinking of those two cases. Stuff like this is always a cat and mouse game.

[peoplefromibiza]

> Will "turning sideways to spot a deepfake" be a valid test in 5 years? Prolly no, so don't base your secops around this.

couldn't the same thing be said about passwords, 2FA with SMS or asymmetric cryptography?

meanwhile real IDs have been easy to replicate for decades, but are still good enough for the job.

[kazinator]

OK, you passed the yokogao test. Now take a crayon and draw an X on your cheek.

[elondaits]

“The Impossible Mission Force has the technical capabilities to copy anyone’s face and imitate their voice, so don’t base your secops around someone’s appearance.”

… yes, because that worked well.

[jhardy54]

> … yes, because that worked well.

Just to be clear, Mission Impossible is not a documentary.

[salawat]

It is however, a lower bound on whether it is the case that something is a reasonably forseeable/precedented area of research.

After all, if the artist can imagine and build a story around it, there'll be an engineer somewhere who'll go "Ah, what the hell, I could do that."

*By Golblum/Finnagle's Law, it is guaranteed said Engineer will not contemplate whether they should before implementing it, and distributing it to the world.

This another example of why we can't have nice things.