Don’t Trust Screen Shots

Here’s a screen shot of a post at Instapundit. See if you can spot any differences between the current post and the screenshot.

That took me literally five seconds to alter.

I use an organization/document-management app for the Mac called  DevonThink Pro. The app has many supporting scripts to capture information from various sources. Today, I learned of one called “Make Editable” a bookmarklet script for Safari and Firefox. When activated, it switches the browser page into developer mode that allows the editing of the original page right in the browser window.

The intended use of the script is for DevonThink users to cleanup or annotate a web page before printing it or saving it to DevonThink as a PDF or webarchive. While testing the script I discovered that the script made it ridiculously easy to alter a web page in place complete with the correct font, font size, and style. Developer mode has always been tucked away and users had to dig for it but now the script makes accessing it almost instantaneous. The script makes it very easy for an unscrupulous individual to fraudulently alter webpages, take a screenshot, then claim that the page’s author wrote something they didn’t and then tried to covered it up later by reposting.

Yeah, I’m always thinking about how things can go wrong.

The technology to fake up screenshots has been around for a decade or more but such fakery required a graphic app, skill in using it, and possesion of the exact font used on the page. The alterations would usually leave subtle distortions in the image, especially the non-visible sublayers, which would signal it as a fraud upon expert examination.

Now, with “Make Editable,” a scammer just clicks a button, clicks the text he wants to alter, types in the fraudulent text and the text appears in exactly the exact same font, style, and size as the original. The screenshot graphic itself has no fingerprints of alteration because the screenshot is a perfectly legitimate and faithful copy of what appeared in the browser window.

Every technology is a two edged sword. The very ease of which we can copy, alter and distribute information via computers and the internet also makes that information far more arbitrary and virtual. As we see more and more of the world though digital media, we also more and more risk seeing a distorted or even outright fraudulent version of reality. We can boil down human intellectual history down to progressive struggle to fight through the “fog of life,” past all the distorting preconceptions and limited perspectives. Now, we have to worry about filtering out virtual reality as well.

Stay on your toes.

6 thoughts on “Don’t Trust Screen Shots”

  1. The technology to fake up screenshots has been around for a decade or more but such fakery required a graphic app, skill in using it, and possesion of the exact font used on the page. The alterations would usually leave subtle distortions in the image, especially the non-visible sublayers, which would signal it as a fraud upon expert examination.

    Your point about the ease of falsifying documents in the digital era is well taken.

    However, almost every word in the above paragraph is incorrect, at least as it applies to web pages.

    Just about any browser has a Save As Complete Web Page option. This has been true pretty much since the advent of the Web. Simply save the web page, edit the .html content in any text editor, open the saved document, and take your screenshot.

    Just now, with no special tools or expertise, I created a screenshot of this article with the words “Don’t Trust Screen Shots” globally replaced by “I Don’t Know What I’m Talking About”. I used Firefox and Windows Notepad, and it took me about 30 seconds.

    Tools like Make Editable can make the process of altering pages more accessible to extremely naive users, but the assertion that you previously had to be an expert to modify a web page is completely false.

  2. Seebit,

    Your point is pretty valid except that it just replaces knowledge and skill with graphic apps with knowledge and skill of html,CSS, DHTML, Javascript etc which these days can be extremely complex. Many webpages have more code than half the apps I write. Besides there have always been pages with dynamic content or graphics that don’t archive well or at all.

    I never meant to imply that there wasn’t a way to fake screen shots but just that the skill level used to be fairly high and now it’s not. This wasn’t something I found because of my expertise, it was something I blundered into in the course of using a wholly non-programing related app. Upon thinking about it, that capability has been latent for years in most browser but few but actual web devs ever knew about it. I vaguely knew about but not to the point of think I could alter existing pages.

    The general trend in computing has always been to push more ability out to non-technical users and I think we’ve reached another threshold here where fakery becomes so much easier that it changes the game.

    It’s something like the transition from swords to firearms. With swords a man had to be trained from early childhood to wield and those who studied the sword could always defeat someone who just picked it up. With a flintlock or worse, an AK-47 an untrained man, woman or even a child can become a serious threat to highly trained soldier.

    Once it took a skilled forger, a specialized and gifted artist, to forge hardcopy documents. Now anyone can do so with no more difficulty than sending an email.

  3. Any idiot can edit HTML. I did it for many years with a text editor, although back-ends were my real love.

    Anything digital is easy to change. We have known that for a long time. It seems you have just discovered this though.

  4. The counter is, of course, to digitally sign your pages. Unfortunately nobody seems to be doing that. X.509 and PGP are the front runner systems for digital signatures. But yes, don’t trust screen shots.

  5. I got in trouble some years ago when our auditors told me they could rely on a report because they had tested it. I was astounded, because the report was the output of an ad-hoc query that they received from me (or my predecessor) as a text file, and I told them they needed to do more work. They demurred. Unable to resist temptation, I took the query input parameters and changed them so that the results came up with nothing at all. Then I executed the query with the original parameters, manipulated the text output in ways I thought were obvious, like changing the names of securities to obscene variants, changing bond prices to negative numbers, and even changing the name of the report in the heading. I gave both reports to the auditors and waited for the eruption. It never came. I finally had to tell them what I had done, and of course, they complained to their alumni higher up on the organization chart.

    It’s amazing how much trust people place in what they are used to seeing.

Comments are closed.