Korean graphical designer in "font protest" against PRISM surveillance

Filed Under: Cryptography, Featured, Privacy

About a year ago, a Korean graphical designer named Sang Mun came out with a typeface called ZXX.

He intended that the visual form of some of its characters should make it tricky for espionage agents to recover messages from screenshots or via scans of printed documents.

His Sans and Bold styles are perfectly regular, if mildly trendy:

But he also has four "protest" styles, called Camo, False, Noise and Xed:

The theory is that the alternative styles don't photograph or scan in very well, thus thwarting, or at least frustrating, optical character recognition (OCR) software.

Sang Mun doesn't seem to have been too serious about actually preventing surveillance, but rather about using graphical design as a form of technological protest.

He notes simply that "ZXX is a call to action, both practically and symbolically, to raise questions about privacy."

But a workable form of font-based counter-surveillance has been proposed seriously in the past.

Back in the 1990s, security boffins Markus Kuhn and Ross Anderson of the University of Cambridge came up with a similar idea to protect your computer screen against Van Eck snooping.

In those days, computer screens were almost always made with cathode ray tubes (CRTs), like old-school televisions.

They used a magnetically-deflected beam of electrons fired at a coated glass surface that would scintillate when electrified, thus painting out an electrofluorescent message.

When operating, the entire device would emanate a smorgasbord of electromagnetic radiation that depended upon how the display beam had been modulated.

This stray radiation was, in effect, an alternative analog representation of what was actually displayed on the screen.

In theory - and, to modest levels of satisfaction, in practice - these emanations could be transformed back into an approximate reconstruction of the control signals that produced them in the first place, and could therefore be used to produce a lossy copy of the original image on another monitor.

By playing around with how they rendered text on the screen, Kuhn and Anderson were able to produce fuzzy but still-legible text on their master monitor that was all but invisible on their emanation-cloned monitor.

Their font tweaks caused the emanations to be particularly lossy just where it mattered, in those parts of the signal representing on-screen text.

They called this a Tempest Font, after the codename TEMPEST used to describe compromising emanations from electromagnetic equipment.

As you can probably imagine, Sang Mun has re-launched his own take on Tempest Fonts in the wake of the recent PRISM revelations.

As mentioned above, he hasn't claimed that his typeface can protect you in any serious fashion against surveillance, whether by PRISM or anything else.

Indeed, ZXX can't and won't protect you against very much at all, though annoyingly it might make your messages hard for the legitimate recipients to read.

Sang Mun's various typeface styles all use consistent glyphs for each character, so that the character 'A', no matter how stylised or distorted, always renders in the same way.

Also, the fonts are intended to be human-readable, so that the glyph for 'A' actually represents 'A' in some practical and recognisable way.

So, OCR software wouldn't have too much trouble adapting to the ZXX font family, even it struggled to decode it at first.

Worse still for anti-surveillance is that before a ZXX-formatted message is actually displayed as Sang Mun intended, for example when it is still in PDF or HTML source form, it's likely to look as plain as a pikestaff:

The wacky ZXX font styles are only visually complex once the message has been converted, or rendered, from text into a pixel-by-pixel image.

So if you've seem Sang Mun's artistic protest reported as some kind of practical way to "fool the NSA", or to be "NSA proof" (I'm not going to link to any such articles for fear of embarrassing the publications or the authors)...

...be careful.

Shrouding a message for transmission is best achieved by using some sort of strong encryption, not by the digital equivalent of trying to write it upside down with the pen held in your wrong hand.

, , , ,

You might like

7 Responses to Korean graphical designer in "font protest" against PRISM surveillance

  1. Also, shrouding your transmissions is a sure fire way to get the attention of that three letter group you mentioned in the article. In fact, I've read several articles on Wired and Naked Security regarding the fact that making your traffic anonymous with TOR is akin to being a combatant ^b^b^b^b foreigner in the eyes of those groups with three letter initials. I imagine taking steps to circumvent *ahem* data collection would be treated similarly.

  2. Tamas Feher · 393 days ago

    > Shrouding a message for transmission is best achieved by using some sort of strong encryption.

    Some observations:

    1., There is no proof any really strong encryption exists, as nobody has proven P=!NP yet.

    2., There is not proof NSA cannot read your strong encryption, even if P=!NP turns out to be true. NSA has proven on numerous prior occasions that they are decades ahead of anybody else in the art of cryptanalysis. They may be aware of logic bugs or implementation glitches in AES, 3DES, RSA, etc..

    3., Use of a cipher shows you actually have something to hide. Therefore 3-lettered agencies will target you with HW or SW based keyboard-stealing devices.

    Sincerely: Steganosaurus.

  3. Gavin · 393 days ago

    It's ultimate success for any spy agency when people start saying, "Wow, if I try to protect my data I'll look suspicious. Maybe it's more secure to be totally open and simply just hide in the crowd."

    That's the worst kind of reverse logic that simply doesn't stand up to any scrutiny. Protection (even if it provokes investigation) is ALWAYS more secure than no protection at all.

    Sorry, that was unashamedly off-topic to the article at hand. :)

  4. lonervamp · 393 days ago

    @Scott McCain: No surprise there. In corporate monitoring, if I see tools used to hide traffic or overhear such conversation or have any reason to look a little closer at someone, I do. Not because I want to spy on people, but because attackers would use similar tools and throw up similar red flags during scans/monitoring.

  5. Cliff Jones · 393 days ago

    So far as protecting yourself (or maintaining any dignity) you're damned if you do, and you're damned if you don't. It's no coincidence that this is exactly as the alphabet soup people would have it.

    Governments should never be allowed to print their own 'money' out of thin air. They end up spending it on wasteful and misguided projects like prism.

  6. Laurence Marks · 393 days ago

    I wonder how much attention you would get if you simply started sending all your email in ROT-13?

    • Machin Shin · 393 days ago

      Really big question is, how long would it take them to figure out that is what your doing? Would not shock me if they go overboard trying all these complex things first before realizing that it was painfully simple.

      Even better is when they find out that you used ROT-13, how long do they spend looking for the hidden meaning in your mundane e-mails where all your doing is passing around jokes to friends.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog