Feeds

Privacy expert dismisses PRISM-busting typeface as 'art project'

If you really want unbreakable message security, buy a pigeon

Intelligent flash storage arrays

Attempts to use a mixed-up font that makes machine reading more difficult in order to foil NSA snoopers or hackers are almost certain to fail, according to privacy experts.

Sang Mun, a former South Korean Army man who worked in liaison with the US National Security Agency (NSA) during his service, spent a year creating the ZXX family of fonts, which aim to make it harder for computers to read messages.

ZXX fonts are designed to work in a similar way to Captcha challenges, of the type internet users are often required to go through to register for a new web service, in that they are difficult for computers to solve but straightforward for humans.

ZXX text even looks a bit like a Captcha, as this example, via a blog post by independent security watcher Graham Cluley illustrates.

Zxx font example

However, as Cluley points out, the modus operandi of intelligence agencies such as the NSA, GCHQ, and the rest involves tapping into internet communications in bulk by running deep packet inspection probes on fibre optic communications or by obtaining stored data.

Scanning letters or printed communications isn't necessary; making the ZXX font less of a resounding blow for internet freedom and more of a quixotic project of little practical use.

"Regardless of whether you communicate electronically using Sang Mun's font, Comic Sans or something more traditional, it makes no difference to anyone spying electronically on your communications," Cluley explains.

"The computers which might be spying on your communications don't see the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

So, it makes no difference to these computers if a font, for example, disguises a capital 'T' as a capital 'G'."

Sang bills ZXX as a disruptive typeface which takes its name from the Library of Congress' three-letter code, in cases where the language of a book is unknown or not applicable. Code "ZXX" is used when there is: "No linguistic content; Not applicable".

The ongoing project has been running for some months, but the whole thing has been given a new lease of life by the revelations about uncontrolled internet surveillance over recent weeks by the NSA and GCHQ.

In an update to his blog post on how ZXX is a "Defiant Typeface", Sang explains that he's quite well aware that digital text fundamentally relies on binary codes, which can be intercepted and analysed.

"This project/post is focused on raising awareness, which I should've articulated better," he said. "It would be great if further conversations ruminated over the growing surveillance state and how we should act."

Cluley adds the caveat that ZXX might be useful if you send messages as images. "In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file," he said.

The secret services have little need to use OCR (at least, not primarily) to snoop on communications. If the need did arise, then we can be reasonably confident that the likes of the NSA would rapidly come up with a means to decipher something like ZXX from images automatically. Cluley said that for anyone serious about privacy, end-to-end encryption using something like PGP remains the best option.

He concludes: "Quite frankly, if you're going to all the effort of composing messages in an image editor, why aren't you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can't be deciphered?"

"It's a nice art project by Sang Mun, but I don't think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools," he adds. ®

Bootnote

One of the documents relating to the NSA’s PRISM programme released by Snowden suggests those that use encryption technologies such as PGP and TruCrypt are more likely to have their information stored. There's nothing to suggest that even the NSA can readily break these algorithms, whose security ultimately relies on mathematical proofs on the difficulty of factoring the product of two very large prime numbers. Advances in cryptanalysis or quantum computing might make even the best privacy-protecting technologies we have now crackable in the future.

So the really paranoid need to think ahead.

A combination of carrier pigeons and one-time pads is the best combination El Reg's tinfoil-hat desk can think of now. Properly implemented, such a system would foil computer-based cracking. Such systems, although tested by secret agents during World War II, are not very scalable and also suffer from bird shit–related problems.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.