ZXX: the messed-up font which will NOT protect you from the NSA

Sang Mun, a former contractor with the US National Security Agency (NSA), hopes that his ZXX font will strike a blow for internet freedom – making it harder for the authorities and hackers to spy upon our communications.

Example of message in ZXX font

The Korean font developer says that he spent a year researching and creating the ZXX family of fonts, which aim to make it harder for computers to read messages, and he sounds like he had noble intentions:

Project ZXX is my humane contribution and homage to the activists, artists, and designers who have been actively fighting for our civil liberties.

But, unfortunately, his project is doomed by a fundamental lack of understanding of how messages are spied upon.

Regardless of whether you communicate electronically using Sang Mun’s font, Comic Sans or something more traditional, it makes *no* difference to anyone spying electronically on your communications.

The messages you send via email, instant messaging, Facebook and other social networks, are composed of bytes. Each letter of your message is normally represented by one single byte. For instance, the letter “A” (regardless of how it might look in your screen font) is represented by the number 65. “B” is 66, “C” is 67. And so on…

The computers which might be spying on your communications don’t *see* the font like a human would, they just see a bunch of numbers which they piece together back into characters and ultimately words, phrases and sentences.

Sign up to our free newsletter.
Security news, advice, and tips.

ZXX font close-upSo, it makes no difference to these computers if a font, for example, disguises a capital “T” as a capital “G”.

Where ZXX *could* be useful is if you send messages as *images*. In those cases, optical character recognition (OCR) technology may find it difficult to decipher the secret message you have placed inside a JPEG, GIF or PNG file.

However, the secret services aren’t using OCR (at least, not primarily) to snoop on communications.

Even if they were, you can imagine that if ZXX became well known and popular, the likes of the NSA would simply add knowledge of the font to their arsenal and extend their expert systems to decipher it from images in the same way they might handle the likes of Comic Sans, Windings and Times Roman.

Quite frankly, if you’re going to all the effort of composing messages in an image editor, why aren’t you using proper end-to-end encryption on your sensitive messages anyway, ensuring that if they do fall into the wrong hands they can’t be deciphered?

It’s a nice art project by Sang Mun, but I don’t think anyone serious about keeping their conversations private from the-powers-that-be will be rushing to add it to their portfolio of privacy tools.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

8 comments on “ZXX: the messed-up font which will NOT protect you from the NSA”

  1. Nick Ballard

    "For instance, the letter “A” (regardless of how it might look in your screen font) is represented by the number 65. “B” is 65, “C” is 66. And so on…"

    Hi Graham, you need to edit the value to say that 'B' is 66, 'C' is 67, etc

    1. Graham CluleyGraham Cluley · in reply to Nick Ballard

      Thanks! What a klutz I am. Someone else spotted that, so I already fixed within seconds of publishing. Of course, caches may be catching up…

  2. paul

    the image (https://grahamcluley.com/wp-content/uploads/2013/06/zxx-font.jpeg) is blocked for me as the certificate doesn't match (issued for *.wpengine.com) – do you need https for it?

    1. Graham CluleyGraham Cluley · in reply to paul

      It's an occasional goof with my content management system that I'm trying to get my webhosts to fix. Sorry about that. Hopefully you can see the image now.

  3. Jim S.

    A little hard on the man weren't you?

    His intentions were in the right place, and I saw the idea of attempting to use this against OCR devices right from the beginning of the article. Problem I have there, is that it works best for that purpose if you are also using a patterned or otherwise not-so-plain background (much like most of those "CAPCHA's").

    Anyway,

    If I was serious about making my texts and messages very hard to crack, the good old tri-graphic system has worked very well, especially if the intended recipient already has the pass-phrases memorized.

    I am thinking of building a tri-graph program to test out some new ideas, though.

  4. E.A. Blair

    Many years ago, I used a method of encrypting code that was so simple it almost seems ridiculous. I was working at a shop that used FORTH as its primary programming language. In FORTH, it is possible to dynamically change the number base from decimal to octal or hexadecimal or just about any other value you want (working with bases higher than 255, however, gets tricky, since the system runs out of characters to represent digits). We converted our software to base 15 before compiling it, and relied on the possibility that anybody trying to reverse engineer our products would not notice that the hex number 'F' never appeared.

    It was while playing around with the number bases in FORTH, by the way, that let me discover that the question "What do you get when you multiply six by nine?" does yield "42" when it's computed in base 13.

  5. nodwongo

    you guys just talk and dont think by your self.
    digitally its the same font as every other font too, this is very obvious, and you found it your self :D
    as we know the most cruel "hacks" come from within, guys as snowden the hero!
    such a font and low contrast settings protect people against such whistleblowers, spying on your login names or your secret message from behind your back.
    thats all, to protect your message also digitally you need to encrypt the text and not the font.

  6. Anti Survelance

    They may not be useful for NSA coz duh we need encryption for that, but they are sure as hell useful when placed on cars, no one can read the license plate now LOL

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.