Slashdot Mirror
Introducing the NSA-Proof Crypto-Font
Daniel_Stuckey writes "At a moment when governments and corporations alike are hellbent on snooping through your personal digital messages, it'd sure be nice if there was a font their dragnets couldn't decipher. So Sang Mun built one. Sang, a recent graduate from the Rhode Island Schoold of Design, has unleashed ZXX — a 'disruptive typeface' that he says is much more difficult to the NSA and friends to decrypt. He's made it free to download on his website, too. 'The project started with a genuine question: How can we conceal our fundamental thoughts from artificial intelligences and those who deploy them?' he writes. 'I decided to create a typeface that would be unreadable by text scanning software (whether used by a government agency or a lone hacker) — misdirecting information or sometimes not giving any at all. It can be applied to huge amounts of data, or to personal correspondence.' He named it after the Library of Congress's labeling code ZXX, which archivists employ when they find a book that contains 'no linguistic content.'"
Undecipherable my ass.
for all the printed content that you want nobody to read.
Given that this seems to be just a simple font, why would it be hard to write an OCR program to decipher specifically this font (or any other supposedly secure font)? Perhaps a program that dynamically obfuscated text like a CAPTCHA would be more useful. This appears to be more of an artistic statement than something useful.
I heard he's quite the cunning linguist!
not sure what the point is even if you typed it in wingdings it would not obscure the meaning of the original message
which is only subsequently translated into a type face when the item is converted into an image which doesn't contain the letters. So all your data would have to be held as such PDFs, which are no longer searchable.Nice idea - shame about the reality
I guess it will work for all my digital content that I save as raster graphics. Which is...um...none of it.
...when people with a fundamentally flawed understanding of computer communication try their hands at digital cryptography.
How can we conceal our fundamental thoughts from artificial intelligences and those who deploy them?
By using a real form of encryption.
VGA 640x480, not b8000 text, hand drawn
watch the stupid unfold.
So, the NSA is reading your digital communications. A funky font is no help here, unless it also uses a different encoding (such as trivial replacement scheme where letters look like different letters). This kind of security by obscurity is't something that will defeat the NSA if they try. It might help if they don't try, but wouldn't real encryption be a better idea?
In the case of printed text, this font is supposed to resist OCR via security by obscurity. Thats not very useful: feed the publicly available font into the OCR software then the encryption is broken.
I'm glad someone it trying to cause a minor inconvenience for the NSA, but perhaps he should just use https for his site instead? That would accomplish more. Unencrypted site that wants to give me a cookie; that protects my privacy real well. (Oh, and slashdot, about time for https for you too?).
Recommending Tor would make more sense.
His name is ''Sang'' ? Past tense ?
load "linux",8,1
I am not sure if the person is an idiot or just trying to get attention from the NSA news.
The fact that each character has the same obfuscation means that it would be easy to match against, it would be more secure to take a marker pen and scribble random lines through pictures of your rebel message.
But the "clever cryptographic fontâ"which you can use in email messages to shield them from snoops" is just laughable. Any text scanner would only see the character encoding, not the font, or is opening an e-mail and changing it's font beyond their comprehension.
Almost completely indecipherable. http://blokkfont.com/
hey this has given me an idea for the perfect secure font...every char is a blank.
never bring a twinkie to a food fight.
And here I was about to submit my idea for my smell-o-encryption. You need a smell-o-scope to decipher it.
Hmmm...either the author of the article or this Sang guy needs a little education on how email works.
Sang has no illusions that even a clever cryptographic font—which you can use in email messages to shield them from snoops and font-recognition bots—will remain encoded for long.
Guys, email isn't fax. It's not sent around as an image so the font isn't going to change whether or not your text can be interpreted by a machine.
Nice work creating a new font face.
Pity frequency analysis and a translation table would quickly destroy this. The video admits that at least the "false" style is straight glyph substitution which he gives a partial crib to in the video.
This aint going to keep anything secret
everything is patented, so use your own LZW compression
"This project will not fully solve the problems we are facing now", they say. I'd say it barely solve some.
It could even mislead people into thinking that writing emails with this font will make their messages safer. My father for sure would, as he doesn't know what UTF-8 nor what "charset" do mean.
Al of /. completely missed his joke. Man, you guy are pathetic.
I think most commenters here will end up completely missing the point, just as I initially did. Of course it will be trivial to bypass any possible protection the font might briefly provide, but that isn't the point. The making of the font is a political statement against government machinery and software spying on us and taking our humanity away. As such, I'd say it's quite clever and attention-getting.
Now I'll sit back and watch 50 different people get up-modded for pedantically explaining how it will be trivial to train an OCR to recognize the font and how software reads the bytecodes and doesn't care about the font and blah blah blah...
Is that a giant whooshing sound I hear?
At a moment when governments and corporations alike are hellbent on snooping through your personal digital messages, it'd sure be nice if there was a font their dragnets couldn't decipher.
It is just a font! If I'm sending a digital message, as the intent of this article states, then it hardly matters what font I want it displayed in. What am I expected to do, print every email that I type and all of the data that I want to send into an image that uses this font and just send the image? I'm not convinced that would slow the NSA down as much as it would impact the people I was trying to send it to, not to mention the potential for errors in receiving messages. I'll stick with my one time pad software.
I'm an American. I love this country and the freedoms that we used to have.
If you have clicked on this article, you have been flagged as an enemy.
You could obfuscate HTML by generating a custom font with glyphs in the Unicode private use space for each message, then using hard-to-read characters. This is, of course, a monoalphabetic substitution, which is close to the weakest known cryptosystem. At best it might be useful for getting spam through filters.
If anybody started using this font for CAPCHAs, there would be a module to break it for spam programs within weeks. Assuming the existing learning algorithms didn't solve it automatically.
However silly this idea is, at least he took a stab at things. Most liberal arts and "sciences" types are too useless for even trying.
I didn't read anything. Neither TFA nor any posts.
But hand writing seems to be the simple most option. Ugly hand writing in particular.
How did this make it on slashdot when there are more pressing issues that have happened recently dealing with the NSA scandal.
This is the most ridiculous thing I have ever seen. Just go on a font site and get a dingbat font... Or any other font that doesn't use typical font characteristics.
Yes, as anyone with half an ounce of sense will have already realised, no font will ever be NSA proof. The first mistake was publishing it on the internet...
The creator is trying to make a point about privacy, not implement a workable solution.
systemd is Roko's Basilisk.
I would not ether unless I had a tech support call about a x showing up when the guy pressed the r key... This really about ASCII codes. The person who created it thinks 1. NSA is focued on U.S. keyboards (as it is the English standered each key is mapped to a ASCII code so if you mix up those codes and send all your e-mail in HTML where the codes are mapped to the letters then your safe 2. NSA is so big and working on so many streams of info that the amount of work it would take to create a single system to work on the font that few will use its pointless. (apple effect for hackers) Also NSA is looking most likely for keywords this will not set off any of those.
Firstly, if its using standard character values and this font is laid over it, then you just look at the character value.
Secondly, If this is only for display documents, there's OCR and the NSA is unlikely to get a sneaker net hard copy anyway.
So if you limit it to electronic documents, then the only way to make it unreadable is
a) the underlying character values are goofy ( the letter 'z' displays as "A").
So the unicode character values
zd% ne@erkaw $ekkew
is actually display as
"The terrorist network."
And then you might as well use stenography.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Slashdot editor should be flogged for the term crypto-font, considering there is no cryptography at all.
I remember when bullshit like this wouldn't have been posted at all as it wouldn't have made it past the editors bullshit detector. Now this? Some stupid fucking font designed by an art student who somehow thinks he understands computers or cryptography because he watched "Hackers" over 100 times. Seriously this place has gone downhill. What the fuck is going on guys?
RISD is just a place where stupid hipster kids with rich parents go to film themselves masturbating in bath tubs then go in front of the class and spout a line of b.s. about how it's the most original and unique thing ever created.
I dunno. The Talking Heads came out of the RISD, and they were pretty cool back in the 80's.
Of course, maybe the RISD only produces a band like that once in a lifetime . . .
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Thunderbird, global stylesheet override in Firefox, IRC client, Pidgin, and the main typeface for Windows. Go to hell, NSA!!!
In all fairness, there's a good reason why nobody ever before attempted to do whatever they did, so it IS unique.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
http://search.dilbert.com/comic/Small%20Font
Prior art?
Serenity now, insanity later.
I fed this into the OCR software developed at my company, took it almost 5 seconds to determine that it can reliably determine if this font is in use with about 23 pixels sampled, assuming font size of 12 point, and it will need to sample about 9 pixels from each "character" to determine what the character is. Not that difficult, but it is a set up from the average of 7 pixels.
In summary: FAIL.
I was going to come in here and remind Soulskill that this is not April first. But then I remembered that there's a "submit story" link in the /. global footer. This is probably his way of reminding us that we need to click that now and then if we don't want to see this crud.
Help stamp out iliturcy.
lousy encryption idea. I mean, all one has to do is add this to an OCR database in order to decipher the text. anything printed and mapped is in essence already broken.
The idea should be to get ideas out on a larger scale, not hide them.
now we need to go OSS in diesel cars
So his stuff will actually show up in that font when they try to read it.
Wait...
Too easy to train OCR for his font. Same glyph for same character. When they say that NSA is reading your mail, they don't mean snail mail. I'm sure that it seamed like a good idea at the time.
There was an unknown error in the submission.
PRISM intercept data in digital form, so the font means nothing to them. However, the font might be useful against TEMPEST (https://en.wikipedia.org/wiki/Tempest_%28codename%29). The font can make it more difficult for attackers to analyze the Electro-Magnetic signals emitted by your computer monitors.
If you exported a document as a pdf, you can embed fonts in it. Run a program to convert your original text file into another one. translate out the characters to other ascii ids. and then embed the font.
For example, ""DOG". Letter "D" is ascii 68. So the pdf will say "this is character 68, in whatever font you had selected." So place the obfuscated glyph for "D" in the position for "Y" (90) and then change all Ds to Ys in the document's text stream. Then when a person reads it, it LOOKS like DOG but copy-paste will get "YOG". Do this for all characters and numbers.
A smart app to do this would roll up a random ascii remapping for each document, and obfuscate characters in the font differently each document. This would make it difficult to craft a specific skimmer module to handle this obfuscation automatically..
This will allow you to email or post the data, and humans to read it, but skimmers won't get legible text with a copy and paste, and if they then fall back to OCR attempt, that will also fail.
Although in reality, fallback to OCR in an automated system is unlikely, and would probably just move on to the next document to skim. So just making very slight adjustments to the glyphs in the font, (to prevent automated correction) in addition to mixing them up, would probably do a good job against fully automated skimming. The adjustments this guy is making (except for the last one) are inconvenient to read. Just adding a LITTLE noise would do the trick I think.
I work for the Department of Redundancy Department.
Hey, I've got this cryptographic compression library you could try. It can reduce any document 100%, and it makes them entirely undecipherable as well.
Of course, NSA could still apply basic kindergarten 101 cryptanalysis (e.g. by selecting characters according to their frequency and mapping them to EATOINSHRDLU...), but that would be more work. A simple grep(1) won't be enough and, more importantly, couldn't be done on current massively parallel silicone chips: they'd have to be reprogrammed. Sure, just a bump in the road for NSA, but it's a way to show dissent.
cpghost at Cordula's Web.
That is to use anti-NSA measures for communication.
On a side note, even just trying to read the example on the website gave me a headache. And I bet an OCR could read it much much faster than me.
The inventor of this new font needs to read about frequency analysis. That is how hieroglyphs were decrypted. The NSA guys would solve this problem in a few nanseconds. Big joke.
If I use this for all my writing will it make me as k3wL as if I used 1337 speak?
Aprils fools Day?
Many have already pointed out that making an unreadable font would really only protect against physical letters (as in, mail, not email) being read, or perhaps text being distributed through raster images. After all, 0x446561746820746F20416D6572696361 means the same thing, whether it's displayed in Helvetica, Times Roman or this new font.
We have measures that are better against machine interception (such as encryption), but those still have one flaw - they're obviously hiding something, and apparently "having something to hide" is now a crime in and of itself. There are steganographic techniques to hide one message inside another, but as soon as they become commonplace, they too will be scanned for.
What we need is something machines cannot adapt to. We need language. Come up with a system of code phrases that can easily be confused for inane, "safe" chatter. Either they don't scan for it, or grabbing it gets too much, and any actual messages get hidden within the noise. Make it so that only a human could reliably determine whether it's an actual "terrorist" message, or if it's a regular email.
For extra protection, base it off a somewhat-obscure set of jargon, so that even the average person wouldn't find anything suspicious about it.
The fact that this post made it onto slashdot's page is proof that it has jumped the shark. A "crypto-proof font" is like "crypto-proof salad dressing". It's absurd on its face, and it actually made it to full article status on /. Alas and adieu.
If the NSA and other snoops capture and record data that is sent and just store it for subsequent analysis when the need arises, a better approach to foiling them would be to not actually send data at all, but only to compute data live at each end.
Computing the data of a communication can be done in countless ways, from timing the intervals between items of data sent (where the data is either garbage or readable misdirection), to encoding it in IP addresses used, applying mathematical functions to the live stream, or any of a million other wierd approaches that a suitably inebriated brain could dream up. This diversity is a strength.
Note that this is not cryptography, it's denial of cryptographic analysis at a later date because essential reassembly parameters are available only at the time of transmission, not later. All it would do is prevent dumb data gathering and storage by the mass dragnet from providing data that is meaningful at a later time.
Needless to say, you could use it in conjunction with cryptography too if you wanted to ensure that, should they actually be monitoring you live and capturing a whole pile of possible reassembly parameters, then they'd still need to break the real crypto as well. But if they're doing that to you then you're probably in deep trouble already and you shouldn't be online reading Slashdot.
Where it can help is by being a thorn in the side of the mass data collectors, and so helping the great mass of public communication remain private despite subsequent analysis by the spooks. To combat it, they would not be able to just blindly collect traffic for posterity, because it would be meaningless.
It's not an original idea, but perhaps after the PRISM revelations it's time to revive some old ones.
That is your only friend for safely transmitting digital information, at least until they mandate NSA approved TCP/IP stacks, keyboard interfaces and video drivers on your PC. Then we are just out of luck if you want to remain online.
haha
This is the dumbest article I have ever read.
...sorry, just had to get that out.
This is a bad title. The font is of course breakable, and author tells about it in TFA::
Sang has no illusions that even a clever cryptographic font—which you can use in email messages to shield them from snoops and font-recognition bots—will remain encoded for long. They're not meant to be long-term tools with which to combat the NSA. Rather, he views them as an awareness-raising measure.
"This project will not fully solve the problems we are facing now," he writes, " but hopefully will raise some peculiar questions."
Slashdot title is bad. Of course the font is breakable, and the author even acknowledges it in TFA:
Sang has no illusions that even a clever cryptographic font—which you can use in email messages to shield them from snoops and font-recognition bots—will remain encoded for long. They're not meant to be long-term tools with which to combat the NSA. Rather, he views them as an awareness-raising measure.
"This project will not fully solve the problems we are facing now," he writes, " but hopefully will raise some peculiar questions."
I have to give the creator credits for a relatively creative scheme but there is a fundamental flaw. Ultimately, based on the availability of the font, NSA can just forensically evaluate which key strokes create which characters and work backwards from there. There is no privacy guarantee. This could only work well if the font were dynamic and shifted shapes on a random basis. Then you would be more closely approximating cryptography.
ROFLMA as to what a character looks like when displayed. Is it not stored as a character that is translated
into an image to be displayed? And is that 'character' any way unique? No.
This is just idiotic.
because Sang Mun == anagram for "Man Guns"
*I* chuckled.
Previously released but retracted - still in archive....
Download low-pass filtered Soft Tempest fonts:
http://web.archive.org/web/20020101000000*/http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip
So-called reason(s) for retraction of fonts:
http://www.cl.cam.ac.uk/~mgk25/emsec/softtempest-faq.html
if AI scanning were what the government was actually doing.
Give me my 10 minutes back. I even went through the comments after RTFA trying to see if I missed something really obscure.
I thought it would be a regular font where the letters were swaped so it would work as symetric encryption. It would be hard to write but only the sender would have to worry about that part. The reciever would on the other hand need to use scripts in their webbrowser to change the font in messages (or paste it in a rich text editor).
It would still be pretty easy to decrypt because every instance of one letter translates the same, but it would have to be decrypted before any processing could be done.
I already have a perfect crypto-font. My handwriting is indecipherable. Even I can't read it!
It'd be a little better because decent captcha generators won't generate the exact same symbol for a given letter every time specifically to foil OCR programs. But often captcha generators produce outputmthat even humans can't read...
I'm working on this after reading this article:
http://imgur.com/1QmdhUB
I've got a bit of headache so I'm going to take a break. However, the final step involves saving the blob images from step 5 into files, running them through google's tesseract ocr program and if it returns a \ or / toss it out, otherwise feed that into a string and then drawstring onto a bitmap and scale it to the size of the blobs detected in the larger letters and at the intersections points of the two rectangles for the small and large detected blobs replace the large blob (erase it's rectangle in the final image) and draw the string->bitmap of the smaller ocr detected letter at the size of and position (e.g. blob rect) of the larger blob it intersected with. Then, you've pretty much got a human and ocr readable text, that you can simply run thru tesseract as a whole and produce easy to read text.
You're welcome humanity, your slavery to the panopticon overseer is almost complete!
Select whatever font you like, but the TEXT in the document is just text with tags.
Printed documents fine, but that's not what the NSA are intercepting.
1. write your text.
2. compress it.
3. compress the compressed file.
4. again and again.
5. until you get a file with a single byte.
6. open this one byte file with a hex editor of your choice.
7. change the value of that byte to another one, so only _you_ will know.
now the tricky part:
8. setup a completely save comunication channel and share the permutation details to be able to reconstruct the original byte.
done
9. send your edited byte.
only the one who knows the original permutatin will be able to recover the byte an decompress properly.
All others will only get gibberish.
Tecnially sound solutions require a deep understanding. Implementation and usage are easy.
I've read this site since 97 or 98. I had a 3-digit slashdot ID (before I left uni, my email address changed and I forgot the password). I've seen a lot of change on slashdot over the years, some good, some bad. But this? This must be the single lamest story in the history of slashdot. It makes Katz look like a Pulitzer prizewinner. In Soviet Russia, Natalie Portman would write a better story than this about hot grits. While naked and petrified! Meeept.
He may have good intentions but this artist just doesn't understand how email works.
Generate a bunch of digital one time pads. Put them on a USB stick.
Physically hand stick to receiving party.
Use.
Make the NSA crazy.
I don't care if their D-Wave machine happens to miraculously not suck, even a Quantum Computer will break itself on this system.
The only way they can get your data now is to physically send a guy to your house and ninja the pads. Though, I guess this could be done from a white van across the street. Or a satellite. Either way, it's a great way to waste their time and money.
What do you have to say which is worth anything anyway? The thing they want is access. They want it so badly, it'll make them cross-eyed with frustration to not have it. Your actual data doesn't have much value.
But the thing of REAL value? Your fear of speaking your mind is the true commodity being created here with all this news about wiretapping.
They've been doing it for years. Why do they want you focused on it now? What else is going one right now? Why does the government want you to think of them as omnipresent and all seeing?
This is about as secure as rot13
When I was 8 my thought process was about the same: I sent my friends messages in Wingdings.
Still though, as a statement in the artistic sense, this is perhaps not useless. You know, raising awareness and such. Often statements accomplish nothing on their own, but do put subjects on agendas.
forget about the lemon juice ???!!
How can we conceal our fundamental thoughts from artificial intelligences and those who deploy them?
Easy, don't put them on the Internet or computer. You see they have these things called pens and pencils and this other stuff called paper. You want something hidden from electronic surveillance, don't make it electronic.
It says "i don't underststand OCR, and I have something to hide".
Right. The NSA is doing screen captures and then using OCR to read your messages, rather than just intercepting the bytes that don't give a fuck what font you're using.
Where do you get silicone chips? Old breast implants? Do they only function in supporting roles? And by massively parallel, are you saying that anything below a DD won't work? To start up a silicone chip, do you bra-strap it instead of boot-strap it? Are silicone chips the ideal technology to create AI's without feelings?
I would like to learn more about this. How can I subscribe to your newsletter? I can already tell it's worth at least a nipple an issue.
I've fallen off your lawn, and I can't get up.
Support your local open source project: http://freecode.com/projects/fuckthensa
from their website:
"FuckTheNSA is a binary-to-text encoding and decoding tool. The encoded data is an ASCII-string, 8 times bigger than the source data, and consists purely of anti-NSA profanity. It encodes any 8-bit byte sequences."
Sooooo much funnier too.
Lightning Bolt!
I'm a designer myself, and while I appreciate the effort here, it's not us graphic designers, typographers, and the like who will be crafting a real solution to this massive problem.
However, though I don't have the skills to implement it, wouldn't the best way to discourage this be to take away the inherent advantage offered by using automation to scan everything with little manual effort by generating false positives which cannot be excluded without manual effort, rendering the automation benefit pointless?
What I mean, is, to invoke the needle/haystack concept - the NSA is essentially 'brute-forcing' the haystack in the sense that computing resources can cheaply scan every single piece of hay to find the single needle, which then can be manually investigated - so why not just add in enough fake needles by volume that the advantage of such indiscriminate surveillance is cancelled out by the enormous number of false positives?
Write a program somewhat like a voluntary e-mail plug-in which for every real email. account, sites, automatically creates a bunch of mixmatched emails, html, etc. by using a database/index of public records of terrorism trials, investigations, warrants, keywords, media coverage, etc. to generate randomly all sorts of plots, stories, arabic names, landmarks, known targets, known groups, etc.which simply create too many false positives to make the actual positives generated difficult to identify, thereby adding another haystack which NSA automation cannot so easily search based on keywords, patterns, names, numbers, but rather must use a human asset to evaluate and exclude?
I'm way over my head here in terms of my own ability to implement, and so if you are a hurting ego who wants to make fun, please enjoy yourself, but it occurs to me that the reason mass surveillance for 'terrorism' plots is both so potentially effective (and therefore, an effective excuse to create a surveillance state which wouldn't either be acceptable in terms of domestic law enforcement) is that there isn't really all that much terrorism out there to catch or investigate relative to the amount of surveillance. If they had to investigate a few hundred thousand auto-generated plots and emails randomly picking out names, quran passages, targets, etc. and assembling them into computer-generated conversations, etc., they would HAVE to investigate them using human assets to eliminate them conclusively and that would drastically make the whole project much less efficient and tempting. If a couple of million people let a bot run voluntarily, scraping the net for terrorism info, rearranging and sending auto-generated correspondence all over the place and from bot to bot, their hit count massively increases and the systems super-efficiency becomes much lower, with the added problem that politically, they cannot ignore intercepted plots just because they might not be real, they have to check, driving them completely crazy.
Maybe a stupid idea....Hey, if you want a font designed though, I could do that to help defeat our privacy being attacked. Maybe NSA computers will be confused by comic-sans in pink on a cyan background, or just offended to the point of overheating?