Feeds

Privacy expert dismisses PRISM-busting typeface as 'art project'

If you really want unbreakable message security, buy a pigeon

Combat fraud and increase customer satisfaction

Attempts to use a mixed-up font that makes machine reading more difficult in order to foil NSA snoopers or hackers are almost certain to fail, according to privacy experts.

Sang Mun, a former South Korean Army man who worked in liaison with the US National Security Agency (NSA) during his service, spent a year creating the ZXX family of fonts, which aim to make it harder for computers to read messages.

ZXX fonts are designed to work in a similar way to Captcha challenges, of the type internet users are often required to go through to register for a new web service, in that they are difficult for computers to solve but straightforward for humans.

ZXX text even looks a bit like a Captcha, as this example, via a blog post by independent security watcher Graham Cluley illustrates.

Zxx font example

However, as Cluley points out, the modus operandi of intelligence agencies such as the NSA, GCHQ, and the rest involves tapping into internet communications in bulk by running deep packet inspection probes on fibre optic communications or by obtaining stored data.

Scanning letters or printed communications isn't necessary; making the ZXX font less of a resounding blow for internet freedom and more of a quixotic project of little practical use.

"Regardless of whether you communicate electronically using Sang Mun's font, Comic Sans or something more traditional, it makes no difference to anyone spying electronically on your communications," Cluley explains.

"The computers which might be spying on your communications don't see the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

So, it makes no difference to these computers if a font, for example, disguises a capital 'T' as a capital 'G'."

Sang bills ZXX as a disruptive typeface which takes its name from the Library of Congress' three-letter code, in cases where the language of a book is unknown or not applicable. Code "ZXX" is used when there is: "No linguistic content; Not applicable".

The ongoing project has been running for some months, but the whole thing has been given a new lease of life by the revelations about uncontrolled internet surveillance over recent weeks by the NSA and GCHQ.

In an update to his blog post on how ZXX is a "Defiant Typeface", Sang explains that he's quite well aware that digital text fundamentally relies on binary codes, which can be intercepted and analysed.

"This project/post is focused on raising awareness, which I should've articulated better," he said. "It would be great if further conversations ruminated over the growing surveillance state and how we should act."

Cluley adds the caveat that ZXX might be useful if you send messages as images. "In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file," he said.

The secret services have little need to use OCR (at least, not primarily) to snoop on communications. If the need did arise, then we can be reasonably confident that the likes of the NSA would rapidly come up with a means to decipher something like ZXX from images automatically. Cluley said that for anyone serious about privacy, end-to-end encryption using something like PGP remains the best option.

He concludes: "Quite frankly, if you're going to all the effort of composing messages in an image editor, why aren't you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can't be deciphered?"

"It's a nice art project by Sang Mun, but I don't think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools," he adds. ®

Bootnote

One of the documents relating to the NSA’s PRISM programme released by Snowden suggests those that use encryption technologies such as PGP and TruCrypt are more likely to have their information stored. There's nothing to suggest that even the NSA can readily break these algorithms, whose security ultimately relies on mathematical proofs on the difficulty of factoring the product of two very large prime numbers. Advances in cryptanalysis or quantum computing might make even the best privacy-protecting technologies we have now crackable in the future.

So the really paranoid need to think ahead.

A combination of carrier pigeons and one-time pads is the best combination El Reg's tinfoil-hat desk can think of now. Properly implemented, such a system would foil computer-based cracking. Such systems, although tested by secret agents during World War II, are not very scalable and also suffer from bird shit–related problems.

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.