Tuesday, May 31, 2011

It's looking bad -- for Dan Wolfe

This may seem like an overly technical post to you, but it isn't -- not really.

EXIF data is also called metadata. Basically, when you snap a picture on your iPhone or digital camera, you are also making a small file which records for posterity some information about how that picture originated: The kind of camera used, the date, the size of the image and so forth.

As I explained in the previous post, EXIF data is not foolproof evidence. If, say, you use Photoshop to paste Image B over Image A, Image B will have the EXIF data for Image A. You can also use certain apps to switch out the data, just as you can rewrite the ID tag for an mp3 file.

Let's say someone claims that he has snapped a photo of Bigfoot. If the photographer can't give you EXIF data to go with the image, he's almost certainly scamming you. If he does give you EXIF data, he may still be scamming. The presence of EXIF data is no guarantee of authenticity, but its absence is a pretty good indication of fraudulence.

Now study the chart above. In the case of Dan Wolfe's browser cache version of the now-infamous lewd photo, we have a decided lack of EXIF data. That is to say: We don't have any indication as to the camera used to snap the shot.

If you bring a raw photo into Photoshop, copy it, paste it into a new file, and then save that file, the result will have EXIF data similar to what Dan is showing us here. You'll get information about format (dimensions and such) but no information about the camera used.

So what happened in this case?

Conceivably, it is possible that Yfrog created this 800 by 600 image as a copy of the original. (We'll explain more about that very soon.) But there is a problem here. To understand this problem, you have to pay attention to the following data (which comes from a Wolfe-friendly site).
This version of the image is exact same size as the original uploaded to yfrog, 800 x 600 pixels.
Yfrog has three different versions of every file. The first is the thumbnail sized image found in user’s profiles. The second image is a medium size quality (the version of the photo we have), and the third is the higher quality. Users can access higher quality photos by clicking on the first image. @PatriotUSA76 told me he had not clicked through the file, which is the reason he only had the medium quality version.
Dan is PatriotUSA76. The problems should now be obvious.

1. Where's the thumbnail? That should be on the browser cache as well -- if Dan really did get these images from Yfrog.

2. Dan has established a record of being absolutely obsessed with Anthony Weiner. Why wouldn't he click through to the original photo? If he's savvy enough to know what EXIF data is, why did he avoid going to the image that would contain it?

3. If Dan really did retrieve this photo from his browser cache, he should be able to give us the entire page, including a date stamp. He should also be able to call up that page via History in Firefox. Hey, the guy says he has nothing to hide, right? I'm not the only one to question whether he really got this image from a visit to YFrog.

4. Most importantly: In my experience, Yfrog does not make 800x600 photos. The medium-sized image that Yfrog creates is 640x480, which also happens to be the dimensions of the photo as it appeared on Breitbart's site.

5. If 800X600 is the "exact same size as the original uploaded to yfrog," then Dan did click through to the largest size. And that means that all of the EXIF data ought to be present. If the photo is authentic, we should have camera data which matches that of Weiner's blackberry.

How do I know that Yfrog does not create 800x600 intermediate images? Because I made an experiment involving an uploaded photo of my dog Bella. Here she is. The original is 2592 by 1944, even larger than the photo made by Weiner's Blackberry. You can click through to that large version, download, look at the EXIF data, and discover which camera I used. The medium-sized version of the Bella shot is 640 by 480.

No matter how or where I click on that Yfrog site, I can't get at an 800 by 600 version.

(Incidentally, you can acquire most of the EXIF data by downloading the image, right-clicking it, then clicking on the "Details" tab. There's more data to be found, but it's harder to get at.)

Why would there be both a 640X480 version and an 800x600 version of the image on Dan's computer? Why would Yfrog create four different files when Dan Wolfe comes a-visiting, while everyone else gets only three? If the 800X600 version represents Weiner's uploaded original, then why did the crucial EXIF information go missing? Why don't we know anything about the camera which made the picture?

Again: The only person who claims to have seen the Weiner crotch shot in situ is Dan. Maybe a few of his cohorts might back up his claims, but I know of no-one objective who can say that he saw it there.

Weiner says that his account was hacked. That may be presumption on his part. He believes that his Twitter account was hacked because there was a concurrent attempt to hack into his Facebook account. But he has never claimed to have seen the photo on his Yfrog page.

So we really have no proof that the Weiner crotch photo was ever uploaded to Yfrog. We have no proof that the screen cap which appeared on Breitbart's site was real.

Dan, your browser's History probably holds at least seven day's worth of material. If you really have nothing to hide, then show the entirety of the Yfrog pages that you visited -- the one with the thumbnail and the one with the 800x600 image. (You know about screen capture videos, don't you? I believe CamStudio is freeware.)

I think you should also give us an explanation as to why Yfrog created an 800x600 image for you but not for me.

Until then -- I detect the odor of bullshit. Or maybe we need to coin a new term: Breitshit.

11 comments:

milowent said...

i posted this on joebrooks page first: "i took a pic on my blackberry and emailed it to myself in various sizes (original, small, medium, large). The medium file was 800x600. The image information I could access when I viewed the image was the same as what joe posted above. it includes the "rim exif" line, but does not ID the blackberry type or populate any other lines other than what is in joe's screenshot. in my view, this corroborates that the picture was taken on a blackberry (or made to look so). this by itself does not mean too much to me, because it seems equally consistent with being a well-executed prank/hack or a legitimate post."

in my opinion, the uploading of this pic to a public image site (yfrog) is a key fact most inconsistent with Weiner doing this. it would be insane for him to do that unless he completely misunderstood how yfrog works. once it was uploaded, it would be public, regardless of whether he intended to DM it to someone.

since yfrog is closely linked to twitter it would simply take a successful phishing of weiner's twitter password to pull off this prank/stunt. its not impossible for this to happen to a man in his mid-40s, even if tech-savvy, many people get phished who are over 30.

Joseph Cannon said...

I need more explanation about this line:

""i took a pic on my blackberry and emailed it to myself in various sizes (original, small, medium, large). The medium file was 800x600."

Neither my ladyfriend nor I have ever owned a blackberry. Are you saying that you switch file sizes BEFORE sending? Without using an imaging program?

And why was the camera identification present in the Weiner photo universally acknowledged to be authentic?

Anonymous said...

There is another problem with the mysterious 800x600 file came from from Dan Wolfe's (@PatriotUSA76) internet cache. The larger file has a create data of 5/30/2011 at 01:26:24AM.

Yet the medium size file shows a create data of 5/27/2011 at 11:32:58PM

Now, if these two files came from the same internet cache, they would not have create dates and times nearly 72 hours apart. Is Wolfe and Joe Brooks saying the larger image was still on the YFROG site nearly 3 days after every other account was deleted? If these images found in the Internet cache came from the same visits to the site, the create date and times would be minutes apart at most.

This date change was not caused by the date the zip was created. Running a test, I zipped a file with a 2006 create date from my own computer and the image create date remained unchanged while zip file carried the current date and time.

milowent said...

joseph: yes, on my blackberry torch you can pick the size (original, large, medium, small) you want to email the picture in. it doesn't tell you what resolution it will be in, though. you pick smaller sizes so it doesn't take forever to email, i guess. you get told what the size of the attachment will be in Kb after you pick the size (sometimes on my blackberry the original size says its too big to email, i assume my data provider or email account puts some limit on that.) when i got the pic at my other computer, i looked to see what size it was, and the medium ouc was emailed to me as an exact 800x600 picture. i did not reimage or resize it myself. and this is the exif data i could see:

http://i89.photobucket.com/albums/k225/milowent/bbtest.jpg

note it doesn't say the model of the blackberry or who took the pic.

the only thing i think that identifies the alleged weiner pic as a blackberry pic is the "rim" reference, which i assume to be Research in motion, who makes blackberry.

i saw some comments that the other pics on weiners account do not have the same exif data but i have not looked into that.

milowent said...

i looked at one of the pics still on weiner's yfrog account (of obama) and its a 640x480 shot, which does identify the model of blackberry the photo was taken on.

Anonymous said...

Singing @ Woman Voter

Oh, the account said it doesn't store owner information and gave all the other details on VIEW IMAGE INFO:

Start
http://desmond.yfrog.com/Himg614/scaled.php?tn=0&server=614&filename=str4s.jpg&xsize=640&ysize=640
END
above was view source, only a little bit. Below is SOURCE CODE
of your experiment (Delete if it freaks you out): START

Crimmie the comment thingie wouldn't accept the SOURCE CODE, but I did get it.
END
I WANT THE SOURCE CODE ME SELF ;-)

milowent said...

last comment: easiest way to pull off this as a hoax would be if you knew weiner's yfrog email address. email a blackberry pic to that email address with (@subject) in text and you'd create exactly what happened here.

would require no password hacking (you wouldn't even need to know his password to do it).

the chance that somewhere along the way that weiners yfrog address had been leaked? pretty damn high. it would happen if weiner or an aide simply forwarded a pic he emailed to his yfrog account to anyone else (thus showing the yfrog email address in the chain).

no other hacking method would be as easy as this, though they are possible.

Joseph Cannon said...

milowent, I really must thank you for all you have done. You've given us a lot to chew on here.

Anon, the date stamp would seem damning.

milowent said...

additional comment re my last comment: ok, i went back to yfrog a few minutes after my last comment when i posted a pic to yfrog from a different email address, and NOW the URL does appear below the header.

http://i89.photobucket.com/albums/k225/milowent/rightafterupload-showsuplater.jpg

http://i89.photobucket.com/albums/k225/milowent/rightafterupload.jpg

not sure what this means. however, it could mean that the URL does not appear on yfrog under the username right away for new posts, here the screenshot would have been taken within a few minutes of posting, and the URL would not have appeared yet.

however, in cannon's example in the post, the URL still has not appeared 26 minutes after the post of the pic was made. so its not clear to me what is happening here.

Anonymous said...

This is facinating, Joseph - great work!

Please don't get annoyed if you've already explained this, but milowent knew your yfrog address because you told him.

How did Dan Wolfe find out Weiner's yfrog address? Is it something you can guess from the twitter user name? If not, how do you think he might have gotten hold of it?

DaveB

Anonymous said...

@Patriotusa76 may be a dupe for his buddy @goatsred. Why? Here's a start
http://twitter.com/#!/goatsred/status/68507099574976515
His yfrog account has more.