Nightshade: Make Images Unsuitable for Model Training

Posted5d agoActive5d ago

homebrewer

49 points

26 comments

nightshade.cs.uchicago.eduResearchstory

informativeneutral

Debate

60/100

BioethicsAI SecurityMachine Learning Security

Key topics

Bioethics

AI Security

Machine Learning Security

The cat-and-mouse game between AI model trainers and artists is heating up with Nightshade, a tool that "poisons" images to make them unusable for model training. Commenters are divided on its effectiveness, with some calling it "snake oil" that will ultimately benefit industry, while others see it as a potential catalyst for artists to gain leverage against AI labs. As one commenter pointed out, the arms race between model robustness and image "poisoning" techniques may lead to unexpected security implications for unified models. The debate underscores the ongoing tension between AI development and artistic ownership.

Snapshot generated from the HN discussion

Discussion Activity

Moderate engagement

First comment

Peak period

1-2h

Avg / period

4.1

Comment distribution29 data points

Loading chart...

Based on 29 loaded comments

Key moments

01Story posted
Jan 4, 2026 at 7:32 AM EST
5d ago
Step 01
02First comment
Jan 4, 2026 at 8:35 AM EST
1h after posting
Step 02
03Peak activity
10 comments in 1-2h
Hottest window of the conversation
Step 03
04Latest activity
Jan 4, 2026 at 3:37 PM EST
5d ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (26 comments)

Showing 29 comments

andy99

5d ago

6 replies

This similar thing was posted a few weeks ago, and also apparently two years ago, glaze also from uchicago

https://news.ycombinator.com/item?id=46364338

https://news.ycombinator.com/item?id=35224219

We’ve seen this arms race before and know who wins. It’s all snake oil imo

vidarh

5d ago

1 reply

> We’ve seen this arms race before and know who wins. It’s all snake oil imo

It's kinda funny in a way because effectively they're helping iron out ways in which these models "see" differently to humans. Every escalation will in the end just help make the models more robust...

That they are disclosing the tools rather than e.g. creating a network service makes this even easier.

jappgar

5d ago

And now you know the only reason these labs get any funding.

It's all to benefit industry, whether the academics realize it or not.

tgv

5d ago

2 replies

Idk. Perhaps this technique doesn't work, but if someone comes up with a working system, and LLMs start using techniques to counter it, artists might have a leg to stand upon, as the use of the counter-technique makes clear that the scraper never had any intention of respecting terms of use.

pixl97

5d ago

No, not really.

In fact I would say the opposite is true. LLMs must protect against this as a security measure in unified models or things the LLM 'sees' may be faked.

If for example someone could trick you into seeing a $1 bill as a $10 it would be considered a huge failure on your part and it would be trained out of you if you wanted to remain employed.

vidarh

5d ago

They won't need to use counter techniques beyond fixing incorrect output from their models by making the general training methods more robust to features not seen by humans.

YeGoblynQueenne

5d ago

3 replies

>> We’ve seen this arms race before and know who wins. It’s all snake oil imo

I haven't and I don't know who wins. Who wins?

Adversarial examples aren't snake oil, if that's what you meant. There's a rich literature on both producing and bypassing them that has accumulated over the years, but while I haven't kept abreast with it, my recollection is that the bottom line is like that for online security: there's never a good reason not to make sure your system is up to date and protected from attacks, even if there exist attacks that can bypass any defense.

Where in this case attack and defense can both describe what artists want to do with their work.

jappgar

5d ago

1 reply

In an arms race, the party with the most money always wins.

gspr

5d ago

Citation needed.

pixl97

5d ago

This isn’t security...

Don't confuse attempting to make AI misclassify an image as a security measure.

And yes, this is snake oil and the AI wins every time.

At the end of the day a human has to be able to interpret the image, and I'd add another constraint of not thinking it looks ugly. This puts a very hard floor on what a poisoner can put in an image before the human gets sick. In a rapid turn around GAN you hit that noise floor really quickly.

torginus

5d ago

Aren't adversarial examples have to be trained to be effective against a specific recognizer?

I could imagine you could make one that was effective against multiple recognizers, but not in general.

I'd also guess it'd be easy to get rid of this vulnerability on the model side.

oth001

5d ago

3 replies

Doesn't mean artists should make it easy for these AI companies to steal artist IP. It doesn't take long to do and seems effective enough from what I've seen. BTW This is how cybersecurity works (cat and mouse etc)

vidarh

5d ago

1 reply

The problem is that it is an inherently intractable problem with the (temporary) solution space shrinking with each mitigation, as the images still needs to look good to people.

pixl97

5d ago

Exactly. This isn't like encryption where you can just keep adding more bits. Every iteration that gets closer to simulating how people see sets the floor.

jappgar

5d ago

1 reply

Real security systems don't publicize how they work.

This is just grandstanding. Half the people from this lab will go on to work for AI companies.

daeken

5d ago

1 reply

> Real security systems don't publicize how they work.

175 years of history would disagree with you: https://en.wikipedia.org/wiki/Security_through_obscurity

jappgar

5d ago

1 reply

That old saw. Downvote all you want. Adversarial engineering does indeed rely on obscurity, they just don't tell you that.

daeken

5d ago

I've been working in security for more than 20 years and have seen the deleterious effects of security through obscurity first-hand. Why does "adversarial engineering" rely on obscurity?

danielbln

5d ago

1 reply

What's with the "stealing" lingo? We were all making fun of the RIAA for conflating copyright infringement with stealing ("you wouldn't steal a car") and now we're doing the same?

ronsor

5d ago

The tides have turned; everyone here loves and respects copyright now.

cmxch

5d ago

AI model makers win, luddites lose.

Never mind that the more people try to corrupt a model, the more likely that future models will catch these corruption attempts as security and trust/safety issues to fix and work around.

The next Nightshade will eventually be viewed as malware to a model and then worked around, reconstructing around the attempt to break a model.

zelphirkalt

5d ago

Isn't there a huge cost imbalance? As in easy to add some noise, difficult to remove reliably, so that even if it gets removed, it could still be counted as a partial win defending against unwanted AI scraping.

throwfaraway135

5d ago

2 replies

I'm very skeptical about such systems, although they note that:

> You can crop it, resample it, compress it, smooth out pixels, or add noise, and the effects of the poison will remain. You can take screenshots, or even photos of an image displayed on a monitor, and the shade effects remain

if this becomes prevalent enough, you can create a lightweight classifier to remove "poisonous" images, then use some kind of neural-network(probably an autoencoder) to "fix" them. Training such networks won't be too difficult as you can create as many positive-negative samples as you want by using this tool.

A4ET8a8uTh0_v2

5d ago

As with most things like this, it is a cat and mouse game. On the one hand, I am annoyed, because I am personally rather firmly on the side of 'why are we spending time trying to prevent people doing this somewhat cool thing?', but at the same time, just like with drms, copy restrictions and all that idiocy, it raises a new line of kids with something to rebel against. So I guess it serves a purpose. On a third hand, can you imagine those minds being able to focus on something else?

torginus

5d ago

I dunno about this one, but I remember the previous versions suffered from visible artifacts to the point most artists elected not to use them as they made the output look bad.

It's also not obvious to me what happens with cartoon style art. Something that looks like white noise might be acceptable on an oil painting but not something with flat colors and clean lines.

mensetmanusman

5d ago

It would be funny if this type of research ends up adding major insight to what it is about human vision systems and mental encodings that make us different than pixel arrays with various transformations.

Tiberium

5d ago

I think the title should clarify the year - (2024), because those tools are not useful in the way artists want them to be.

cadamsdotcom

5d ago

Seems the same as these submissions from 2 years ago:

- https://news.ycombinator.com/item?id=38013151

- https://news.ycombinator.com/item?id=37990750

nodja

5d ago

I've run the first of the sample images through 3 captioning models, an old old ViT based booru style tagger, a more recent one and qwen 3 omni. All models successfully identified visual features of the image with no false positives at significant thresholds (>0.3 confidence)

I don't know what nightshade is supposed to do, but the fact that it doesn't affect the synthetic labeling of data at all leads me to believe image model trainers will have close to 0 consideration of what it does when training new models.

View full discussion on Hacker News

ID: 46487342Type: storyLast synced: 1/4/2026, 4:30:45 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN