Inducing self-NSFW classification in image models to prevent deepfakes edits

20•Genesis_rish•1mo ago

Hey guys, I was playing around with adversarial perturbations on image generation to see how much distortion it actually takes to stop models from generating or to push them off-target. That mostly went nowhere, which wasn’t surprising.

Then I tried something a bit weirder: instead of fighting the model, I tried pushing it to classify uploaded images itself as NSFW, so it ends up triggering its own guardrails.

This turned out to be more interesting than expected. It’s inconsistent and definitely not robust, but in some cases relatively mild transformations are enough to flip the model’s internal safety classification on otherwise benign images.

This isn’t about bypassing safeguards, if anything, it’s the opposite. The idea is to intentionally stress the safety layer itself. I’m planning to open-source this as a small tool + UI once I can make the behavior more stable and reproducible, mainly as a way to probe and pre-filter moderation pipelines.

If it works reliably, even partially, it could at least raise the cost for people who get their kicks from abusing these systems.

Comments

ukprogrammer•1mo ago

deepfake edits are a feature, not a bug

kyriakos•1mo ago

its the same as banning knives because they can be used to hurt people. we shouldn't ban tools.

instagraham•1mo ago

with that analogy, OP's solution is akin to banning the use of knives to harm people, as opposed to banning the knife itself

kyriakos•1mo ago

If I undestood correctly he's unsharpening knives.

pentaphobe•1mo ago

Or making knives that turn into overcooked noodles if you try to use them on anything except vegetables and acceptable meats

kyriakos•1mo ago

and who decides if I want to use a knife to cut mushrooms instead? see where I am going, there are (or could exist) legit cases when you need to use it in a non-standard way, one that the model authors didn't anticipate.

blackbear_•1mo ago

But we do ban tools sometimes: you can't bring a knife to a concert, for good reason.

ben_w•1mo ago

In this case, image generation and editing AI is a tool which we managed just fine with until three years ago, and where the economic value of that tool remains extremely questionable despite it being a remarkable improvement in the state of the art.

As a propaganda tool it seems quite effective, but for that it's gone from "woo free-speech" to "oh no epistemic collapse".

pentaphobe•1mo ago

> we shouldn't ban tools

When I see the old BuT FrEe SpEeCH argument repurposed to impinge civil rights I start warming to the idea of banning tools.

Alternately "Chemical weapons don't kill people, people with chemical weapons kill people"

kyriakos•1mo ago

Not really, its like banning chemistry sets cause they may be used to create chemical weapons.

pentaphobe•1mo ago

Not sure the comparison works when it does all the work for you

I've had very little success mumbling "you are an expert chemist..." to test tubes and raw materials.

Almondsetat•1mo ago

If social media required ID, you could maintain the freedom of being able to use these tools for anything legal, while swiftly detecting and punishing illegal usage. IMHO, you can't have your cake and eat it too: either you want privacy and freedom but you accept people will use these things unlawfully and never get caught, or you accept being identified and having perpetrators swiftly dealt with

bulbar•1mo ago

Same is true outside of the Internet. With cameras and face recognition everywhere, criminals can be swiftly dealt with. At least that's what people tend to believe.

pentaphobe•1mo ago

Obligatory Benn Jordan link (YouTube - ~11mins)

This Flock Camera Leak is like Netflix for Stalkers

https://youtube.com/watch?v=vU1-uiUlHTo

dfajgljsldkjag•1mo ago

This might prevent the image from being used in edits, but the downside is that it runs the risk of being flagged as nfsw when the unmodified image is used in a benign way. This could lead to obvious consequences.

pentaphobe•1mo ago

This is a really cool idea, nice work!

Is it any more effective than (say) messing with its recognition so that any attempt to deepfake just ends up as garbled nonsense?

Can't help wondering if the censor models get tweaked more frequently and aggressively (also presumedly easier to low-pass on a detector than a generator, since lossiness doesn't impact final image)

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor

Tmux to Zellij (and Back)

Ask HN: How are you using specialized agents to accelerate your work?

Passing user_id through 6 services? OTel Baggage fixes this

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

Visual data modelling in the browser (open source)

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

Oddly Simple GUI Programs

The New Playbook for Leaders [pdf]

Interactive Unboxing of J Dilla's Donuts

OneCourt helps blind and low-vision fans to track Super Bowl live

Rudolf Vrba

Autism Incidence in Girls and Boys May Be Nearly Equal, Study Suggests

Wellness Hotels Discovery Application

NASA delays moon rocket launch by a month after fuel leaks during test

Study confirms experience beats youthful enthusiasm

The Big Hunger by Walter J Miller, Jr. (1952)

The Genus Amanita

We have broken SHA-1 in practice

Ask HN: Was my first management job bad, or is this what management is like?

Ask HN: How to Reduce Time Spent Crimping?

KV Cache Transform Coding for Compact Storage in LLM Inference

A quantitative, multimodal wearable bioelectronic device for stress assessment

Why Big Tech Is Throwing Cash into India in Quest for AI Supremacy

How to shoot yourself in the foot – 2026 edition

Eight More Months of Agents

From Human Thought to Machine Coordination

The new X API pricing must be a joke

Show HN: RMA Dashboard fast SAST results for monorepos (SARIF and triage)

Show HN: Source code graphRAG for Java/Kotlin development based on jQAssistant

Python Only Has One Real Competitor

Tmux to Zellij (and Back)

Ask HN: How are you using specialized agents to accelerate your work?

Passing user_id through 6 services? OTel Baggage fixes this

DavMail Pop/IMAP/SMTP/Caldav/Carddav/LDAP Exchange Gateway

Visual data modelling in the browser (open source)

Show HN: Tharos – CLI to find and autofix security bugs using local LLMs

Oddly Simple GUI Programs

The New Playbook for Leaders [pdf]

Interactive Unboxing of J Dilla's Donuts

OneCourt helps blind and low-vision fans to track Super Bowl live

Rudolf Vrba

Autism Incidence in Girls and Boys May Be Nearly Equal, Study Suggests

Wellness Hotels Discovery Application

NASA delays moon rocket launch by a month after fuel leaks during test

Inducing self-NSFW classification in image models to prevent deepfakes edits

Comments