ZXX: the messed-up font which will NOT protect you from the NSA

Sang Mun, a former contractor with the US National Security Agency (NSA), hopes that his ZXX font will strike a blow for internet freedom – making it harder for the authorities and hackers to spy upon our communications.

Example of message in ZXX font

The Korean font developer says that he spent a year researching and creating the ZXX family of fonts, which aim to make it harder for computers to read messages, and he sounds like he had noble intentions:

Project ZXX is my humane contribution and homage to the activists, artists, and designers who have been actively fighting for our civil liberties.

But, unfortunately, his project is doomed by a fundamental lack of understanding of how messages are spied upon.

Regardless of whether you communicate electronically using Sang Mun’s font, Comic Sans or something more traditional, it makes *no* difference to anyone spying electronically on your communications.

The messages you send via email, instant messaging, Facebook and other social networks, are composed of bytes. Each letter of your message is normally represented by one single byte. For instance, the letter “A” (regardless of how it might look in your screen font) is represented by the number 65. “B” is 66, “C” is 67. And so on…

The computers which might be spying on your communications don’t *see* the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

ZXX font close-upSo, it makes no difference to these computers if a font, for example, disguises a capital “T” as a capital “G”.

Where ZXX *could* be useful is if you send messages as *images*. In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file.

However, the secret services aren’t using OCR (at least, not primarily) to snoop on communications.

Even if they were, you can imagine that if ZXX became well known and popular, the likes of the NSA would simply add knowledge of the font to their arsenal and extend their expert systems to decipher it from images in the same way they might handle the likes of Comic Sans, Windings and Times Roman.

Quite frankly, if you’re going to all the effort of composing messages in an image editor, why aren’t you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can’t be deciphered?

It’s a nice art project by Sang Mun, but I don’t think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools.

Tags: , , , , , , ,


, , , , , , ,

6 Responses

  1. Nick Ballard June 24, 2013 at 11:36 am #

    "For instance, the letter “A” (regardless of how it might look in your screen font) is represented by the number 65. “B” is 65, “C” is 66. And so on…"

    Hi Graham, you need to edit the value to say that 'B' is 66, 'C' is 67, etc

    • Graham Cluley
      Graham Cluley June 24, 2013 at 11:37 am #

      Thanks! What a klutz I am. Someone else spotted that, so I already fixed within seconds of publishing. Of course, caches may be catching up…

  2. paul June 25, 2013 at 12:19 pm #

    the image (https://grahamcluley.com/wp-content/uploads/2013/06/zxx-font.jpeg) is blocked for me as the certificate doesn't match (issued for *.wpengine.com) – do you need https for it?

    • Graham Cluley
      Graham Cluley June 25, 2013 at 12:24 pm #

      It's an occasional goof with my content management system that I'm trying to get my webhosts to fix. Sorry about that. Hopefully you can see the image now.

  3. Jim S. September 16, 2013 at 9:15 pm #

    A little hard on the man weren't you?

    His intentions were in the right place, and I saw the idea of attempting to use this against OCR devices right from the beginning of the article. Problem I have there, is that it works best for that purpose if you are also using a patterned or otherwise not-so-plain background (much like most of those "CAPCHA's").

    Anyway,

    If I was serious about making my texts and messages very hard to crack, the good old tri-graphic system has worked very well, especially if the intended recipient already has the pass-phrases memorized.

    I am thinking of building a tri-graph program to test out some new ideas, though.

  4. E.A. Blair September 30, 2013 at 10:16 pm #

    Many years ago, I used a method of encrypting code that was so simple it almost seems ridiculous. I was working at a shop that used FORTH as its primary programming language. In FORTH, it is possible to dynamically change the number base from decimal to octal or hexadecimal or just about any other value you want (working with bases higher than 255, however, gets tricky, since the system runs out of characters to represent digits). We converted our software to base 15 before compiling it, and relied on the possibility that anybody trying to reverse engineer our products would not notice that the hex number 'F' never appeared.

    It was while playing around with the number bases in FORTH, by the way, that let me discover that the question "What do you get when you multiply six by nine?" does yield "42" when it's computed in base 13.

Leave a Reply