Inducing self-NSFW classification in image models to prevent deepfakes edits

20•Genesis_rish•1d ago

Hey guys, I was playing around with adversarial perturbations on image generation to see how much distortion it actually takes to stop models from generating or to push them off-target. That mostly went nowhere, which wasn’t surprising.

Then I tried something a bit weirder: instead of fighting the model, I tried pushing it to classify uploaded images itself as NSFW, so it ends up triggering its own guardrails.

This turned out to be more interesting than expected. It’s inconsistent and definitely not robust, but in some cases relatively mild transformations are enough to flip the model’s internal safety classification on otherwise benign images.

This isn’t about bypassing safeguards, if anything, it’s the opposite. The idea is to intentionally stress the safety layer itself. I’m planning to open-source this as a small tool + UI once I can make the behavior more stable and reproducible, mainly as a way to probe and pre-filter moderation pipelines.

If it works reliably, even partially, it could at least raise the cost for people who get their kicks from abusing these systems.

Comments

ukprogrammer•1d ago

deepfake edits are a feature, not a bug

kyriakos•1d ago

its the same as banning knives because they can be used to hurt people. we shouldn't ban tools.

instagraham•1d ago

with that analogy, OP's solution is akin to banning the use of knives to harm people, as opposed to banning the knife itself

kyriakos•1d ago

If I undestood correctly he's unsharpening knives.

pentaphobe•1d ago

Or making knives that turn into overcooked noodles if you try to use them on anything except vegetables and acceptable meats

kyriakos•1d ago

and who decides if I want to use a knife to cut mushrooms instead? see where I am going, there are (or could exist) legit cases when you need to use it in a non-standard way, one that the model authors didn't anticipate.

blackbear_•1d ago

But we do ban tools sometimes: you can't bring a knife to a concert, for good reason.

ben_w•1d ago

In this case, image generation and editing AI is a tool which we managed just fine with until three years ago, and where the economic value of that tool remains extremely questionable despite it being a remarkable improvement in the state of the art.

As a propaganda tool it seems quite effective, but for that it's gone from "woo free-speech" to "oh no epistemic collapse".

pentaphobe•1d ago

> we shouldn't ban tools

When I see the old BuT FrEe SpEeCH argument repurposed to impinge civil rights I start warming to the idea of banning tools.

Alternately "Chemical weapons don't kill people, people with chemical weapons kill people"

kyriakos•1d ago

Not really, its like banning chemistry sets cause they may be used to create chemical weapons.

pentaphobe•21h ago

Not sure the comparison works when it does all the work for you

I've had very little success mumbling "you are an expert chemist..." to test tubes and raw materials.

Almondsetat•1d ago

If social media required ID, you could maintain the freedom of being able to use these tools for anything legal, while swiftly detecting and punishing illegal usage. IMHO, you can't have your cake and eat it too: either you want privacy and freedom but you accept people will use these things unlawfully and never get caught, or you accept being identified and having perpetrators swiftly dealt with

bulbar•1d ago

Same is true outside of the Internet. With cameras and face recognition everywhere, criminals can be swiftly dealt with. At least that's what people tend to believe.

pentaphobe•1d ago

Obligatory Benn Jordan link (YouTube - ~11mins)

This Flock Camera Leak is like Netflix for Stalkers

https://youtube.com/watch?v=vU1-uiUlHTo

dfajgljsldkjag•1d ago

This might prevent the image from being used in edits, but the downside is that it runs the risk of being flagged as nfsw when the unmodified image is used in a benign way. This could lead to obvious consequences.

pentaphobe•1d ago

This is a really cool idea, nice work!

Is it any more effective than (say) messing with its recognition so that any attempt to deepfake just ends up as garbled nonsense?

Can't help wondering if the censor models get tweaked more frequently and aggressively (also presumedly easier to low-pass on a detector than a generator, since lossiness doesn't impact final image)

Vienam bans unskippable ads

Stop Doom Scrolling, Start Doom Coding: Build via the terminal from your phone

Spherical Snake

Dude, where's my supersonic jet?

Show HN: Jax-JS, array library in JavaScript targeting WebGPU

Show HN: Prism.Tools – Free and privacy-focused developer utilities

Launch HN: Tamarind Bio (YC W24) – AI Inference Provider for Drug Discovery

Passing of Joe Mancuso author of Masonite (Python web framework)

enclose.horse

Loongarch Improvements with Box64

Why agents matter more than other AI

Locating a Photo of a Vehicle in 30 Seconds with GeoSpy

Why Big Companies Keep Failing: The Stack Fallacy (2016)

My Tamagotchi is an RL agent playing Slither.io

Creating a Bespoke Data Diode for Air‑Gapped Networks

I wanted a camera that doesn't exist – so I built it

Hierarchical Autoregressive Modeling for Memory-Efficient Language Generation

Using fewer syllables to express numbers

High-performance header-only container library for C++23 on x86-64

Show HN: Stash – Sync Markdown Files with Apple Notes via CLI

AWS raises GPU prices 15% on a Saturday, hopes you weren't paying attention

High-Performance DBMSs with io_uring: When and How to use it

Why is the Gmail app 700 MB?

Gemini Protocol Deployment Statistics

Repair a ship’s hull still in the river in -50˚C (2022)

Show HN: ccrider - Search and Resume Your Claude Code Sessions – TUI / MCP / CLI

Volkswagen Brings Back Physical Buttons

Video Game Websites in the early 00s

65% of Hacker News posts have negative sentiment, and they outperform

DatBench: Discriminative, faithful, and efficient VLM evaluations

Vienam bans unskippable ads

Stop Doom Scrolling, Start Doom Coding: Build via the terminal from your phone

Spherical Snake

Dude, where's my supersonic jet?

Show HN: Jax-JS, array library in JavaScript targeting WebGPU

Show HN: Prism.Tools – Free and privacy-focused developer utilities

Launch HN: Tamarind Bio (YC W24) – AI Inference Provider for Drug Discovery

Passing of Joe Mancuso author of Masonite (Python web framework)

enclose.horse

Loongarch Improvements with Box64

Why agents matter more than other AI

Locating a Photo of a Vehicle in 30 Seconds with GeoSpy

Why Big Companies Keep Failing: The Stack Fallacy (2016)

My Tamagotchi is an RL agent playing Slither.io

Creating a Bespoke Data Diode for Air‑Gapped Networks

I wanted a camera that doesn't exist – so I built it

Hierarchical Autoregressive Modeling for Memory-Efficient Language Generation

Using fewer syllables to express numbers

High-performance header-only container library for C++23 on x86-64

Show HN: Stash – Sync Markdown Files with Apple Notes via CLI

AWS raises GPU prices 15% on a Saturday, hopes you weren't paying attention

High-Performance DBMSs with io_uring: When and How to use it

Why is the Gmail app 700 MB?

Gemini Protocol Deployment Statistics

Repair a ship’s hull still in the river in -50˚C (2022)

Show HN: ccrider - Search and Resume Your Claude Code Sessions – TUI / MCP / CLI

Volkswagen Brings Back Physical Buttons

Video Game Websites in the early 00s

65% of Hacker News posts have negative sentiment, and they outperform

DatBench: Discriminative, faithful, and efficient VLM evaluations

Inducing self-NSFW classification in image models to prevent deepfakes edits

Comments