Feeds

back to article Privacy expert dismisses PRISM-busting typeface as 'art project'

Attempts to use a mixed-up font that makes machine reading more difficult in order to foil NSA snoopers or hackers are almost certain to fail, according to privacy experts. Sang Mun, a former South Korean Army man who worked in liaison with the US National Security Agency (NSA) during his service, spent a year creating the ZXX …

COMMENTS

This topic is closed for new posts.

Page:

Angel

UTF-8 alternative

Otherwise you could compose message avoiding standard characters - using UTF-8 alternative

instead.

As seen in alt.free.newsservers here:

http://groups.google.com/forum/#!topic/alt.free.newsservers/jR21H6TnYG0

[Note El Reg complains if you try to cut and past that example into this forum - may be our developers are smarted than we thought.

0
0
Silver badge

Re: UTF-8 alternative

Just using a different fixed font encoding is identical to using using the oldest cypher in the book: simple substitution. You can easily simulate the enigma machine on your PC, and that is much better than the proposed solution. However, note that fairly old computer machinery could already crack that (with the help of some nifty linguistic trickery and a few coding blunders of the Germans)

One-time pads do a rather better job, and are easily accessible (though harder to distribute).

1
1
Anonymous Coward

No

It's not equivalent to any kind of cypher.

As stated in the article, the computer is looking at the ASCII or UTF character codes, the font doesn't even come into it.

0
0
Bronze badge
Unhappy

Re: No

Right apropos PRISM. A font will not even slow PRISM down.

We live in strange times though. Advertisers would consider an unusual font a cypher to be cracked. It draws their attention and in doing so draws other Advertisers attention, and others ... The avalanche effect violates Kerckhoff's Principle or Shannon's Maxim (whatever your preference)

"It must not be required to be secret, and it must be able to fall into the hands of the enemy without inconvenience".

If Google+ declares a font a cypher, then Facebook, Linkedin, Amazon ... wants to "crack" it as well. They line up, and the Web slows to a crawl. The unintended consequence of building a better "Art Form" is a Gallery full of Paparazzi waiting for a Celibrity to appear.

0
0
Silver badge

Re: No

Have I missed something here?

Type out your message in the fuzzy font

Take a screenshot

email the picture to the recipient.

Flaws?

I have another idea---banner font size 32, Ascii art FTW - All your data are belong to us

0
0
Silver badge

Correction:

PGP/GPG rely on the prime-number thing. Truecrypt does not. It uses a different type of encryption entirely. Somewhat amusingly, two of the three cyphers it supports were developed on behalf of the US government.

1
1
Silver badge
Boffin

Re: Correction:

PGP/GPG relies on the prime number thingy for secret key transmission. It is only used for sending the encryption key used by the symmetrical encryption algorithm which is used for the actual message. The symmetrical encryption algorithms used by PGP/GPG are also used in TrueCrypt, specifically AES.

TrueCrypt requires recipients to know a secret key/passphrase beforehand, and that's where you need something like PGP or roll out your own RSA implementation for that. And that's where you end up using the prime number thingy, or maybe Elliptic Curve if you can do that.

2
0

Expert?

You don't need to be an expert of any kind to see that this was a ridiculous idea.

5
0
Pint

Re: Expert?

Um.... given that the original work was by a Korean, I wonder if in our rush to ridicule, perhaps something has been lost in translation.

Perhaps the intention is to send a message which appears to be digital garbage, essentially using the font as a Caeserian Cypher. PRISM, the NSA, GCSB, GCHQ etc see "Xy kxtrt" but when you view that message using a particular font you see "Hi there".

And given that lowercase and uppercase characters have difference code points, you can even make letter distribution analysis more difficult by employing a different Caesar Shift for upper and lowercase (not to mention rotations that mix non-letter and letter characters etc).

So even if the original effort was not along these lines and really was as naive as the report of the report of the blog post suggests, the essence of the idea has some validity.

i.e. send messages which make no sense when examined as a series of character code points, and which only make sense when rendered visually using a very specific font. Adding CAPTCHA style obfuscation then becomes your last line of defence against snooping, should the authorities render your message using the required font and attempt to OCR it.

The foolishness of that final defence is only that if the snoopers have reached a level of awareness that they know with which font to render before attempting to OCR, then with only a small effort with a few correctly rendered messages, humans could quickly decode the Caesar shift in the font and apply that algorithmically to all other similar digital messages - no need to OCR.

0
2
Silver badge

Re: Expert?

Maybe if you use it they flag you as low hanging fruit to be investigated.

1
0
Silver badge
IT Angle

Re: Expert?

Yeah, I hadn't finished reading half of the headline, before I saw this was a nonsense idea.

1
0

Re: Expert?

Sorry, but using a encryption scheme that pre-dates Julius Caesar isn't a good idea however you look at it. There's a reason why we have RSA, AES et al - because anything susceptible to frequency analysis *is* useless.

The last time I rolled my own encryption was a decade ago and even then I accepted that it was merely obfuscation as performance was far more of a concern. Encryption should be left to the mathemagicians.

I'm aware that this was done to raise awareness, but even my non-techie friends are talking about the NSA and Snowden. There may be a plus-side however - cretinous [would be] terrorists and criminals may start using this to "encrypt" their word documents*.

* Caesar Cipher

In 2011, Rajib Karim was convicted in the United Kingdom of "terrorism offences" after using the Caesar cipher to communicate with Bangladeshi Islamic activists discussing plots to blow up British Airways planes or disrupt their IT networks. Although the parties had access to far better encryption techniques (Karim himself used PGP for data storage on computer disks), they chose to use their own scheme(implemented in Microsoft Excel), rejecting a more sophisticated code program called Mujhaddin Secrets "because 'kaffirs', or non-believers, know about it, so it must be less secure"

0
0
Gav
Boffin

Re: Expert? @Jolyon Smith

You've an interesting idea there, but that doesn't appear to be what the designer of the font is proposing. He really is talking about rendering ASCII codes in weird ways, which is absolutely no hurdle to decoding if you have access to the original bytes making up those codes. Just render the bytes in standard Ariel and all is revealed. So really, this achieves nothing unless you are prepared to send all your internet communications as bitmaps, and if you're willing to go to that length you are as well using proper encryption.

Anyway, to get back to what you suggest; all it amounts to is encoding the text and using the font to decode. Which font you use is the key to unlocking it. Which would work, but the simplest of encryption applications could perform exactly the same with millions of different keys, without need for millions of different fonts.

0
1
Silver badge

Well duh

I've written to the NSA suggesting they read the characters directly from the bytestream rather than printing intercepts out in the sender's preferred font and OCR'ing them back into a legible form. I'm hoping to hear back from them soon.

Oh shit I just realised I used the ZXX crypto font when I sent my suggestion!

2
0
Coat

"...suffer from bird shit–related problems."

Most communication on the Internet is shit anyway.

0
0
Silver badge
Joke

Re: "...suffer from bird shit–related problems."

You mean we've been running RFC1149 in place of undersea cables all this time?

And here I was thinking it was just some idea that some Norwegians managed to implement.

0
0
Silver badge

Re: "...suffer from bird shit–related problems."

http://www.blug.linux.no/rfc1149/ ← link with additional detail

0
0

Just get a doctor to write it - no-one can ever understand a doctor's handwriting...

2
0
Silver badge
Facepalm

Ah, but then they just have to hire pharmacists to decrypt it

5
0
Anonymous Coward

Perhaps I'm going to use

RADIX50 AND THEN ONE'S COMPLEMENT IT TO MAKE IT EVEN MORE IMPENETRABLE. IT WORKED FOR PASSWORDS ON RSX SO WHY NOT.

I'M NOT SHOUTING, IT'S JUST THE WAY RADIX50 AKA RAD50 HAS WORKED FOR DECADES. IT DOES A TO Z AND 0 TO 9 AND NOT MUCH ELSE BUT WHAT ELSE DO YOU NEED ANYWAY. DEFINITELY NOT COMIC SANS OR WINGDINGS.

0
1
Stop

TruCrypt

It's TrueCrypt, not TruCrypt.

0
0
Coat

"Ah! Carrier Pigeons..."

Somewhere in the bowels of the USA a new threat is perceived, and members of the Royal Racing Pigeon Association become "persons of interest".

The one with Trill in the pocket please.

1
0
Thumb Up

Re: "Ah! Carrier Pigeons..."

can it avoid DPI and carry a message - maybe avoid SCUD etc?

0
0
Alien

Word from the Tor Network is

That the North Koreans are genetically cross breeding carrier pigeons with Parrots

0
0
Silver badge
Coat

A Norwegian blue?

Sorry, couldn't resist

0
0
Silver badge

"Straightforward"? Really?

"ZXX fonts are designed to work in a similar way to Captcha challenges, of the type internet users are often required to go through to register for a new web service, in that they are difficult for computers to solve but straightforward for humans."

No, they're not "straightforward". Depending on the level of difficulty chosen by the entity implementing the captchas, they can verge on "impossible".

1
0
Anonymous Coward

PRISM-defeating? No, seriously I doubt it, considering what I know about the project (which isn't much, even though I work for INSCOM two weeks a year and a weekend a month, barring deployment) they're intercepting metadata on the server side, nothing you do on a client is going to beat that unless you can somehow block the Chocolate Factory or your carrier from ever getting their hands on your data, and thats a pretty fucking tall order unless you go all Unabomber and shit. They can still hand over cyphertext packets as easily as cleartext.

TEMPEST defeating though, maybe, at least on a CRT or a Plasma, and Ive only heard about TEMPEST in regard to Plasma monitors in theoretical discussion. With an LCD for TEMPEST you'd have to be right up against the target and in that case, you generally have access to a USB port if its COTS.

I do seem to recall a program that Steganos had a few years back which was a text editor supposed to be able to not be read by anyone who might be intercepting transient EM emissions. Called it Zero Emission Pad. I have it, but I don't think you can easily find the installer anymore. But honestly, I never heard anything about it actually working out of the TEMPEST lab at Fort Huachuca (if its still there, I know they were contemplating moving it to Sandia or the INSCOM/NRO facility White Sands Missile Range but Im not sure it ever did, and) and someone would have probably said something on the A-Space or Intellipedia about it had it actually worked as directed, but then again, TEMPEST is a specialized area of study and I work on RADAR MASINT.

0
0

This post has been deleted by its author

Silver badge

avian one time pad joy

More fun than sudoku is to do your one time pad encryption by hand - seeing as how it is the underpinning of all our modern tools, it is also rewarding to understand what's going on under the covers. http://yatta.co.uk/encryption/ if you want to give it a try (originally published in 2600)

0
0
Silver badge
Joke

Re: avian one time pad joy

"(originally published in 2600)"

Wow man, it's like..from the future yeah?

0
0
Bronze badge
IT Angle

Take Me To Your Leader, seriously

Maybe my tinfoil hat is pinching, but I'm in a bad mood over the trouble my gadgets were giving me this morning. I also think that Advertising Big Dogs, Inc. are not all that unpredictable and might turn up the slurp to the highest possible setting if privacy regulation is a possibility. They gotta try and the trouble they will all try at once.

And if that happens it will be best for everyone to know the cause as soon as possible. I have a concern for privacy and have for a long time.

http://lists.w3.org/Archives/Public/public-egov-ig/2013Jun/0029.html

Won't someone please think of the little green men ?

0
1
Anonymous Coward

Wheels within wheels

Step 1: Encode suspicious but meaningless message using ZXX crypto font (e.g. "The brown gelding prefers oats.")

Step 2: Create .png image of resultant message.

Step 3: Use steganography to bury real message in .png file.

Step 4: The real message is "The orange cat prefers whipped cream".

Step 5: ???

Step 6: Profit

1
0
Silver badge

"buy a pigeon"

The local feral cats say that won't work.

Probably the cheapest & easiest way to avoid the .fed is to buy a congress-critter ... but there are two problems with this idea. The first is that if you attempt it with the wrong critter, you'll do hard time. The second is that you don;t have enough money, unless you're in charge of the finances of one of the Fortune 150s ...

1
0

Re: "buy a pigeon"

The third problem is making sure they stay bought

0
0

Re: "buy a pigeon"

Before commenting read the applicable RFCs. Cat-in-the-middle attacks are already addressed. As are a variety of other issues, including the suggestion of avoiding standing under the dropped packets. TCP/IP Over Avian Carriers is a mature technology with a long and distigwished history.

If you wan't overcome the relatively low troughput (a gew KiB/h) then take a look at the work done by Israeli researchers utilizing giant snails.

0
0
Bronze badge
Black Helicopters

More research required...

"If you really want unbreakable message security, buy a pigeon"

Does RFC 1149/RFC 2549 support BGP? And does subverting it involve a pigeon femme fatale?

(I was going to go all pretentious and translate pigeon to French, but it already is).

0
0
Silver badge

Not an 'entirely' stupid concept

There was a series of fonts developed at the computer lab in Cambridge to stop electronic eavesdropping on monitors http://www.cl.cam.ac.uk/teaching/0910/R08/work/slides-ykrt2-videorf.pdf

Of course it doesn't help if the evil boffins at the milk marketing board are tapping your internet rather than hiding in the bushes

0
0
Gold badge

Ineffective

Indeed, a PDF or DOC file or whatever will have plain text in it. If you print an image and send that, it's just a nice clean printout using a font so I would think OCR would be 100% accurate once it's trained on the font once.

0
0
Silver badge

Missing the point.

Yes, end-to-end encryption is clever for pre-established links. But it's poor at widespread dissemination, which is (I imagine) the mode intended for this font.

0
0

isn't the point to render as a png or the like?

The nosy NSA can intercept the bits of the png all they like they will however require significantly more processing to read the message...

2
0
Thumb Up

Re: isn't the point to render as a png or the like?

Your post is like a penny dropping right through this thread, reversing almost all previous posts. Well done. Using the font like this would certainly make PRISM work harder.

0
0
Anonymous Coward

carrier pigeons and one-time pads*

Pigeons with sanitary towels are not so good at transatlantic communication.

*always with wings.

0
0
Silver badge

uh surely you would send a ZXX message as a bitmap....otherwise why compare it to a captcha?

it has drawbacks (eg larger size, the receiver cannot copy/paste) but it would beat automatic filters looking for keywords

0
0
Happy

Nab him...

The most obvious problem with the use of pigeons is surely The Vulture Squadron - although to be fair I can't think of a time when they actually stopped the pigeon. The mastermind was a shady, never-seen character called the General though, so maybe Hanna-Barbera were on to something.

0
0
Anonymous Coward

Misleading

This is completely misleading. It would only be accurate if using the text as a standard font, for example on a HTML page.

If the font is used in a graphical way and saved as an image then it does indeed do exactly what it says on the tin and make it much more difficult for NSA etc. to OCR it.

The key is using the font in a graphical program and then exporting it as a JPG.

0
1
Silver badge

Re: Misleading

yeah I thought it was obvious too

0
1
Anonymous Coward

Re: Misleading

What you thought was "obvious" is in fact discussed in the article if you had cared to read it. The issue is that there's no point going to all that trouble when proper encryption that actually works would be easier.

0
0
Anonymous Coward

Re: Misleading

"Proper encryption" relies on the person on the other end being as smart as you. Anyone can "read" an image.

I don't see this as a way of stopping the NSA or other powers that-be from reading your comms. It's just a way to get you on a more level playing field against automatic snooping and storing of all comms.

0
0
Bronze badge

Meanwhile ...

... handwriting seems to offer a simple alternative.

0
0
Silver badge

Re: Meanwhile ...

The difference is your handwriting hasn't been engineered to maximize human readability while minimizing machine readability

0
1

Page:

This topic is closed for new posts.