Feeds

Privacy expert dismisses PRISM-busting typeface as 'art project'

If you really want unbreakable message security, buy a pigeon

Using blade systems to cut costs and sharpen efficiencies

Attempts to use a mixed-up font that makes machine reading more difficult in order to foil NSA snoopers or hackers are almost certain to fail, according to privacy experts.

Sang Mun, a former South Korean Army man who worked in liaison with the US National Security Agency (NSA) during his service, spent a year creating the ZXX family of fonts, which aim to make it harder for computers to read messages.

ZXX fonts are designed to work in a similar way to Captcha challenges, of the type internet users are often required to go through to register for a new web service, in that they are difficult for computers to solve but straightforward for humans.

ZXX text even looks a bit like a Captcha, as this example, via a blog post by independent security watcher Graham Cluley illustrates.

Zxx font example

However, as Cluley points out, the modus operandi of intelligence agencies such as the NSA, GCHQ, and the rest involves tapping into internet communications in bulk by running deep packet inspection probes on fibre optic communications or by obtaining stored data.

Scanning letters or printed communications isn't necessary; making the ZXX font less of a resounding blow for internet freedom and more of a quixotic project of little practical use.

"Regardless of whether you communicate electronically using Sang Mun's font, Comic Sans or something more traditional, it makes no difference to anyone spying electronically on your communications," Cluley explains.

"The computers which might be spying on your communications don't see the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

So, it makes no difference to these computers if a font, for example, disguises a capital 'T' as a capital 'G'."

Sang bills ZXX as a disruptive typeface which takes its name from the Library of Congress' three-letter code, in cases where the language of a book is unknown or not applicable. Code "ZXX" is used when there is: "No linguistic content; Not applicable".

The ongoing project has been running for some months, but the whole thing has been given a new lease of life by the revelations about uncontrolled internet surveillance over recent weeks by the NSA and GCHQ.

In an update to his blog post on how ZXX is a "Defiant Typeface", Sang explains that he's quite well aware that digital text fundamentally relies on binary codes, which can be intercepted and analysed.

"This project/post is focused on raising awareness, which I should've articulated better," he said. "It would be great if further conversations ruminated over the growing surveillance state and how we should act."

Cluley adds the caveat that ZXX might be useful if you send messages as images. "In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file," he said.

The secret services have little need to use OCR (at least, not primarily) to snoop on communications. If the need did arise, then we can be reasonably confident that the likes of the NSA would rapidly come up with a means to decipher something like ZXX from images automatically. Cluley said that for anyone serious about privacy, end-to-end encryption using something like PGP remains the best option.

He concludes: "Quite frankly, if you're going to all the effort of composing messages in an image editor, why aren't you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can't be deciphered?"

"It's a nice art project by Sang Mun, but I don't think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools," he adds. ®

Bootnote

One of the documents relating to the NSA’s PRISM programme released by Snowden suggests those that use encryption technologies such as PGP and TruCrypt are more likely to have their information stored. There's nothing to suggest that even the NSA can readily break these algorithms, whose security ultimately relies on mathematical proofs on the difficulty of factoring the product of two very large prime numbers. Advances in cryptanalysis or quantum computing might make even the best privacy-protecting technologies we have now crackable in the future.

So the really paranoid need to think ahead.

A combination of carrier pigeons and one-time pads is the best combination El Reg's tinfoil-hat desk can think of now. Properly implemented, such a system would foil computer-based cracking. Such systems, although tested by secret agents during World War II, are not very scalable and also suffer from bird shit–related problems.

Boost IT visibility and business value

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.