Fonts in the Wild

Just our of curiosity - after you've released a new font what's the soonest you've seen it on a file sharing website. 12 days for me.
«1

Comments

  • I released one free font a few years ago on a not too well known platform. When I searched for it, about an hour after uploading, the first hit was a Russian free font site with my name stripped out.
  • Just released new fonts to a well know distributor a few days ago. No sales yet but the fonts are already on a pirate font site. This also happened 2 years ago.
     
    How is this possible?
  • Rob Barba
    Rob Barba Posts: 86
    Just released new fonts to a well know distributor a few days ago. No sales yet but the fonts are already on a pirate font site. This also happened 2 years ago.
     
    How is this possible?
    There could be a number of ways:

    1. Man in the middle attack: that means someone on the inside is feeding them fonts.  Hopefully this isn't happening.
    2. The media keg/assets repository is unsecure.  I would hope said servers aren't, but it's been proven with video game leaks that oftentimes these are the servers that tend to be least protected.
    3. It's possible they might have pulled them from you instead of the source.  Chances are you would have known if this was the case, but it is possible.
  • James Puckett
    James Puckett Posts: 1,992
    edited March 2019
    Just released new fonts to a well know distributor a few days ago. No sales yet but the fonts are already on a pirate font site. This also happened 2 years ago.
     
    How is this possible?
    Have you actually tried the download links on the pirate site? I find that they’re often just MyFonts affiliate links or malware.
  • Rob Barba
    Rob Barba Posts: 86
    Just released new fonts to a well know distributor a few days ago. No sales yet but the fonts are already on a pirate font site. This also happened 2 years ago.
     
    How is this possible?
    Have you actually tried the download links on the pirate site? I find that they’re often just MyFonts affiliate links or malware.
    Actually, just as I was typing up my earlier statement, a friend of mine found some fonts of mine on a pirate site.  Just to make sure, he successfully downloaded the fonts from the site, then mailed them to me.  Just checked the mailed zip and despite the bullshit that the site claims that "we don't allow downloads" and has a DCMA page, they also insert a text file in the zip mentioning that they give out "free fonts, graphics, etc." (and no, we're not talking gratis or libre here.)

    So yes, while I'm sure there are affiliate links, in this particular new case, no it's not.

    If anyone wants the URL of this site so you can check for your fonts, PM me.  I'll be happy to furnish you with the info so you can start your DCMA complaint engines.
  • Ray Larabie
    Ray Larabie Posts: 1,431
    edited March 2019
    3 days once. If it's the site I'm thinking of, they rip the web font, the metadata and promo graphics directly from MyFonts.

    Lately I've noticed something new showing up when I vanity search my font names: several almost identical "blogs" that look like pirate links. They're actually legit Fontspring affiliate sites that look like blog posts that lead to pirated fonts. Hover over the links such as "Download now Server 3" and they go straight to Fontspring. It's not really related to the OP but I just think it's pretty great that they're often ranking on Google higher than actual pirate sites.
  • Rob Barba
    Rob Barba Posts: 86
    edited March 2019
    3 days once. If it's the site I'm thinking of, they rip the web font, the metadata and promo graphics directly from MyFonts.
    In my case above, they obtained it from Creative Fabrica.  I can tell simply because CF made an error in the publicly available files that I'm still trying to get them to fix, and the error is reflected in the files the pirate site has.
  • Stephen Coles
    Stephen Coles Posts: 1,007
    edited March 2019
    They're actually legit Fontspring affiliate sites that look like blog posts that lead to pirated fonts. 
    Fontspring and Monotype should use more discretion in who they allow in their affiliate programs. (CC @Joe Manbeck @Ethan Dunham)
  • James Puckett
    James Puckett Posts: 1,992
    They're actually legit Fontspring affiliate sites that look like blog posts that lead to pirated fonts. 
    Fontspring and Monotype should use more discretion in who they allow in their affiliate programs. (CC @Joe Manbeck @Ethan Dunham)
    I’d rather people get suckered into fake pirate sites than real ones or malware sites.
  • Paulo Goode - That is exactly the case - Web fonts accessed, licensing info stripped, poor quality OTFs generated, added to a Russian pirate site.  

    MyFonts has a leak and they need to plug it up. 
  • John Savard
    John Savard Posts: 1,126
    edited March 2019
    Paulo Goode - That is exactly the case - Web fonts accessed, licensing info stripped, poor quality OTFs generated, added to a Russian pirate site.  

    MyFonts has a leak and they need to plug it up. 
    In order to plug that leak, they would have to stop using web fonts. Thus, presumably, their servers would now generate .jpg files when you asked to see pangrams instead of AaBbCc... of the font samples. (This would involve significant investment in additional processing power for MyFonts' servers.)

    However, the minute someone actually bought the font, and used it with a web font on a web site, it would be available for stealing (although, admittedly, no longer trivial for the pirates to find).

    So for MyFonts to plug the leak... since they couldn't really plug it, might not seem worthwhile to them even though it would preserve their popularity with font suppliers.

    How else could the leak be plugged? Well, if how to read a web font for purposes of rendering were a closely guarded secret - you know, like the encryption on Blu-Ray discs and DVDs - shared only with qualified browser makers under NDAs and so on, then the Russian pirates would now have to do some serious hacking at least.

    Of course, that would mean that web fonts would be supported by Microsoft Internet Explorer, Microsoft Edge, and Google Chrome, because those browsers were made by major corporations... and not by open-source browsers like Firefox.

    Which is a pretty big price to pay for keeping fonts from being pirated... only for as long as it takes a Russian hacker to disassemble Internet Explorer.

    So solving this problem is not trivial, not easy, and may not even be possible. (MyFonts was created by Bitstream, itself no stranger to font piracy of a sort, but only the legal kind of designs and not the illegal in most places kind {America, I'm looking at you} of vector data, but apparently it's currently owned by Monotype... but I doubt that is a factor that will get in the way, one small piece of good news.)

    Of course, though, upon reflection, there is a technical solution.

    Have the web font format encrypt the font using a method that is a closely guarded secret. But share the secret with Intel and AMD, as well as Samsung, Apple, Qualcomm, and ARM holdings... and then develop another standard, akin to HDCP for sending things over HDMI cables which is known to the companies that make video cards and the chips that go in laser printers (Intel, AMD, et cetera, only need the public keys for that standard in their capacity of user CPU makers, although their chips might also go in laser printers - and, in the case of AMD, they may also make video cards).

    Even this may not hold the Russian hackers off forever, but it does give a fighting chance. (Well, sort of. I don't suppose there are any pirated versions of Hollywood movies online, now that they're guarded by all this sophisticated anti-piracy technology?)

    Of course, there's a plug-in for Font Forge that automatically generates vectors from images of the characters in a typeface, so the pirates would still have a fallback...

    EDIT: I should make it clear, though, that I'm not criticizing you for your post. It certainly looks as though MyFonts is just handing the pirates everybody's fonts on a silver platter by using a web font to display each new font that is advertised on their site.

    But web fonts are protected by encryption. They are using the reasonable technical measure that is currently available.

    If they didn't use web fonts, they would have to perform the rendering of fonts they display on the server side, and this would result in an enormous increase in the processing power they would require for their site. Of course, though, there is a reasonable option here that I missed: they could change the design of the site so that the options for displaying each typeface are not quite so flexible. If all the samples of a typeface were just images generated in advance, instead of being generated on-the-fly in response to requests from people viewing the site, then there wouldn't be an unreasonable requirement for processing power.

    The other options - making web fonts more secure - are what Hollywood tried, and it didn't work for them.
  • Thomas Phinney
    Thomas Phinney Posts: 2,885
    The movie industry is ~ 100x the size of the font industry. The OS vendors and other big wheels simply do not have sufficient business incentive to protect fonts. And even if they did, I am doubtful as to how effective it would be, for how long.
  • Cory Maylett
    Cory Maylett Posts: 248
    edited March 2019
    Picking up on what John Savard  just wrote...

    There's likely no foolproof way to prevent piracy, but the fact that almost nothing is available to inhibit it is what concerns me.Adobe CC software, for example, needs to check back with Adobe over the Internet for validation at period intervals or it just stops working. Of course there's loads of obscure compiled code in their executable software into which this kind of thing can be hidden and embedded. It would take some significant programming (along with the initial expense) for similar technologies to be embedded in the relatively simple code that makes up a font.I'm hardly an expert on any of this, so there are undoubtedly holes in any approach I might come up with. That said, has anyone here heard of steganography? It's a process by which embedded information can be easily stored within the pixel arrangement of a photograph. Although there isn't typically bitmapped information in a font, there is plenty of code that could be surreptitiously tweaked by a digit or two here and there in random spots that could serve as the basis of inserting a unique encrypted serial number into every copy of a font. The font, like Adobe CC software, would need to periodically check in during a time that the licensed user was logged into his or her account during the re-verification. Any initial first-use of the font on a unknown computer would also need to be similarly validated.Of course, a small validation program would need to be inserted into the font to perform that periodic check. A hacker, of course, could remove that software. However, critical parts of that software could also be embedded directly into the font data in ways that rendered the font unusable if it were removed. Conversely, critical parts of the fonts themselves could also be written and encrypted directly into the compiled validation software in ways that prevented the font from working properly if tampered with.Could all this be reverse engineered by hackers with enough time on their hands? Probably, but every instance of a font (or family) would have a unique serialized number encrypted and placed in random spots in the font code during purchase and only known to the host software that the validation program would need to periodically check in with. If these hackers were stealing highly profitable secrets from whomever, it might be worth the effort to try, but is the motive to hack through thousands of different fonts with multiple levels of randomly hidden encryption worth it just for the sake up uploading them to free font site worth it?
    Of course there's the whole issue of web fonts or embedding them into PDFs or giving temporary font access to printing companies, but I'm quite certain these problems could also be mostly addressed and passively enforced through software security, with some money and effort by, say, Monotype or Google or any number of companies that might have an interest in doing so.This or other techniques likely wouldn't stop font piracy, but I suspect they would greatly inhibit it and would certainly keep random individuals from uploading their company's fonts out of boredom, which I think is what usually happens. Yes, it would be a hassle — just like Adobe CC validation can be a hassle, but it could also be made mostly transparent to average legal users. The real point is to make piracy inconvenient and difficult, not necessarily impossible.

  • Thomas Phinney
    Thomas Phinney Posts: 2,885
    Historically, Adobe implemented copy protection for fonts three times, and deployed it twice, and every time ended up killing it because it wasn’t worth it in the long run. 

    Other attempts at font copy protection have failed, floundered or been discontinued.

    So doing it all over again? Infrastructure that actually checks for the font's license/validity and disables it if things don’t match... not likely to make it in the real world. Real copy protection is possible, but it’s a huge pain for the implementor, and incredibly expensive to do, and users hate it.

    One could mark each and every font individually as to who it was delivered to. That isn’t  copy protection, and has been done. Of course, that's a nightmare for font management/matching (look up FontSense some time). And it doesn’t prevent piracy, just lets you know whose fonts was pirated... at least until/unless the pirates figure it out. Of course, if they pirate at the distribution level upstream, or from the fonts being used on the web (perhaps on your own site), then the fingerprints are a bit pointless.
  • Thank you John Savard and everyone else who responded. 

    Last time I notified the distributor I got this as part of a reply from a person running the show - "
    If we are not already doing so, sample webfonts should be severely subsetted to make them essentially useless to pirates"
  • John Savard
    John Savard Posts: 1,126
    edited March 2019
    Yes, subsetting the web fonts, in addition to not using web fonts, just .jpg or .gif image samples, is another solution that would actually work - at the cost of making the web site less flashy. (One could use both approaches, including in the image samples the characters excluded from the subset, so that the whole font can be seen, but views can also be customized.)

    However, how severely does a font need to be subsetted to make it useless to pirates? If you exclude some letters of the alphabet, the web font is of limited usefulness for displaying user-chosen text samples. (This can, and has, been done for downloadable demo versions of fonts, of course.)

    If you include the whole alphabet, upper and lower case, the ten digits, and the very basic punctuation .,:;!?&$() then you have included everything a traditional foundry font included for a typeface; characters like @ and % were considered sorts, and it was not at all unusual to always use a Scotch Roman-like version of them no matter what typeface one was using. (Eventually there was also the choice of a News Gothic-like version.)

    So it may be that if one subsets a web font severely enough to make it useless to pirates, it's also not particularly useful for those font sales site features that use web fonts. I may be unduly pessimistic here, but the issue of how to subset would require careful thought.

    On the other hand, just excluding all the accented letters might reduce a web font's interest for a pirate, while still leaving it useful for display of user-chosen samples.
  • Viktor Rubenko
    Viktor Rubenko Posts: 119
    edited March 2019
    However, how severely does a font need to be subsetted to make it useless to pirates? If you exclude some letters of the alphabet, the web font is of limited usefulness for displaying user-chosen text samples. (This can, and has, been done for downloadable demo versions of fonts, of course.)
    The glyph set that is used by MyFonts on 'Webfont' page:
    Some uppercase, most part of digits and all lowercase

  • John Savard
    John Savard Posts: 1,126
    The glyph set that is used by MyFonts on 'Webfont' page:
    That, unfortuately, isn't what we're talking about here. MyFonts also uses a webfont that doesn't have lots of characters removed (or, rather, replaced with Times Roman) the way your image shows, so that the pages of previews work.

    So you can choose to see previews as "pangrams" or "AaBbCc..." or even text you yourself type in - and no characters fail to work.

    Those web fonts may not be directly available for download, but they are still sent to the browser to display the page, and suitable plug-ins, or modified versions of the browser, will be able to snag them.
  • Viktor Rubenko
    Viktor Rubenko Posts: 119
    edited March 2019

    Those web fonts may not be directly available for download, but they are still sent to the browser to display the page, and suitable plug-ins, or modified versions of the browser, will be able to snag them.
    How is it possible to get font file from php request that return png image?
    https://render.myfonts.net/fonts/font_rend.php?id=4d0fc139af3265e14bfdb5ebe91672ee&rt=Typedrawers.
  • Ralph Smith
    Ralph Smith Posts: 30
    edited March 2019
    If anyone is interested this is the site -

    https://vk.com/about

    They claim to be an "information distributor"

    Here is the page they direct you to if you want to request your files be removed.
    https://vk.com/help?act=cc_terms 

  • John Savard
    John Savard Posts: 1,126
    edited March 2019
    How is it possible to get font file from php request that return png image?
    Then I - and others here - are mistaken, and MyFonts is already generating font previews on the server side. I had thought this would consume so much computing power that it would be unrealistic to ask for.

    In that case, it's a mystery, at least to me, what the technique is these Russian pirates are using to grab copies of fonts, shortly after they're first offered for sale, before even a single copy is sold. Although, reviewing the posts in this thread, perhaps while MyFonts takes adequate precautions, another site, Creative Fabrica, fails to do so - if I understand the post mentioning them correctly.

    Apparently, I must be mistaken, because the Creative Fabrica site, which I have just visited, doesn't do any dynamic sample display, unlike MyFonts, so there is no reason for them to use web fonts of the fonts they're selling.
  • Viktor Rubenko
    Viktor Rubenko Posts: 119
    edited March 2019
    If anyone is interested this is the site -

    https://vk.com/about

    They claim to be an "information distributor"

    Here is the page they direct you to if you want to request your files be removed.
    https://vk.com/help?act=cc_terms 

    This is the most popular social network in Russia and the CIS region.
    The second and the third provisions of the rules state that if you find your stolen content, you can write to the administration about it, and if the fact of theft is confirmed, they will take action.

    In that case, it's a mystery, at least to me, what the technique is these Russian pirates are using to grab copies of fonts, shortly after they're first offered for sale, before even a single copy is sold. Although, reviewing the posts in this thread, perhaps while MyFonts takes adequate precautions, another site, Creative Fabrica, fails to do so - if I understand the post mentioning them correctly.
    Some of our fonts were stolen from CreativeMarket even before 1st sale :)
  • John Savard
    John Savard Posts: 1,126
    edited March 2019
    Yes, VKontakte is sort of like Facebook in Russia.

    I checked and found one pirate forum for fonts on VKontakte, and Helvetica Neue got removed from it due to a removal request, so asking to have your material removed does actually work.

    And Creative Market appears to only display image files for fonts as well, so I don't know how they could be the target for font thieves.
  • AbiRasheed
    AbiRasheed Posts: 238
    edited March 2019
    Piggybacking on what Cory mentioned I did something involving the same theory I guess but on a much much simpler scale with my first typeface. I figured if you can uniquely identify each download it'll give clues to where it came from and whom and so on, so in one of the glyph cells I had a custom thank you note with the customer's name in it. I did this manually of course because the file was available only on request and sent to them by me. If this entry into the cell can be randomized and automated maybe it's something to look into....however piracy is still going to exist but atleast an identifier tells you the source which could be helpful info I think.
  • Ray Larabie
    Ray Larabie Posts: 1,431
    Disclaimer: I don't know what the hell I'm talking about. Feel free to tell me why this wouldn't be effective.

    I think it might be possible to do a cipher subset when serving web fonts on a font distributors's site. Every time a user previews a web font, a new cipher is generated. In the same process that subsets the font, the index and name table is shuffled. The user types the sample string in a box and it gets converted to the cipher which makes the shuffled font readable. If a malicious user tries to figure out the cipher by typing in the alphabet and comparing with the output string, they can. But there's a limit (or could be) to how much they can type on a single line. If they enter A-Z, they can determine the cipher for those characters. If they subsequently enter a-z, there's a whole new cipher. Complicated, maybe not. If the system is already subsetting, it's already processing and serving the same font over and over. It would take a few more cycles to generate a cipher and shuffle the tables.

    But maybe it's futile because they could systematically take several partially scrambled fonts and assemble them into a complete font and maybe even rebuild the kerning table.

    I like the idea of serving up an SVG or bitmaps because there's no practical way to reverse engineer the metrics. The resulting fonts would be unsuitable for professional use.
  • Even if they can't access the fonts directly, tracing characters from web specimens is an option. For example, two minutes of playing with MyFonts and I have this URL:


    This gives me a 800px tall image of the letter A of Neue Helvetica Pro 95 Black. You can modify the rendered letter with the last parameter of the query (rt=A), and a script could cycle through the whole Latin character set in a few minutes. The resulting images could be traced to vector images and converted to a font with off-the-shell scripts. I'd estimate this a lunch break's worth of effort. Once you have this working for one font, it'll work for all fonts on MyFonts.

    Sure, these will be lousy fonts, but the target demographic doesn't seem to care.

    I have been an observer of the hacker/pirate scene since the mid 1980s, and I have never seen uncrackable security. Don't underestimate what a bored teenager with lots of free time can do. Let alone a clever, educated programmer. Let even aloner a team of 'em!
  • Viktor Rubenko
    Viktor Rubenko Posts: 119
    edited March 2019
    Funny thing that pirated fonts are shared in russian social network by non-russian users in most part, who specifically registered there.
    https://vk.com/topic-50911295_28400527?offset=133620
  • From this very thread on vk:

    Odessey Oldshkolovich 9 авг 2018 в 1:52 wrote:

    Oh, it seems like the time to get things clear. 
    Thx Aluisio for Your very correct and timely question. How You can get to know what is worth and what is “crappy”? There are only two ways – get Your knowledge enough to be able make that decision yourself, or trust somebody’s opinion. The second one is not for me, hope is not for You too. So, I’ll try to give You few criteria I already have studied regarding the theme and the first way…  
    There are two possible types of fonts posted here – official and so-called rips or web-rips. The interesting is – both are pirated (except demos). 
    Officials could be full fonts or their truncated versions – demos (sometime demos would be full featured font). The most important here – there are no way to claim confidently some font I got in the board is official one. As there are no any absolute criterion for that. It could be only hash (checksum) of file You may compare with hash published on trusted source like official foundry site or web-shop like myfonts. 
    But we have not such database, so no luck. Good message is we have great possibility at that myfonts site – there You can find file sizes for the current font version. That is very likely means the one You got with that size is official. That is not 100% but very, very likely. The bad is – not all fonts are represent at the myfonts. 
    In all other cases You can’t be sure You have official font version. At least I didn’t see other sites with enough tech data to verify the files. 
    If You see in any field of Your font something like “com.myfonts.easy.*********.wfkit2.version.4ZQE” – that is web-rip done from the web version of original OTF(TTF) font got from myfonts site. 
    If You see “wf”, “rip”, “FLVI”, strange dates, abbreviations in any font properties fields where they look obviously inappropriate – that is exactly web-rip. 
    The worse situation is when all those fields are “clear” from any non-nature information and You’ve no the source for file size. All looks right and You can’t claim it is rip or official one. Because of that, “right” rippers leave somewhere special marks You would see to qualify the font version as ripped. 
    By the way, such marks are not any “digital signature” as one “think herself very smart” claims. Digital signature is very special process based on the external licensing and practically inaccessible for rippers. You can see that when using standard Windows font viewer as the “Digitally Signed” in the third line. This feature was done for exactly that verification we are looking for. But some versions of software now can put that string without external license check (FontLab 6, for example). So, no luck again. 
    That is all I wanted to tell You official/ripped font about… but Your question was about “good”/”bad” fonts… 
    That is very complex question as we need to decide about judgment criteria. But anyway I’ve the question too – is the rip “bad” in case the original font and its web-version were “bad” itself at the same point? For sure any further modification like ripping could not do the font better, but is not necessarily do it worse. 
    From personally my experience we got a lot of internally “notsogood” fonts directly from the foundries. In other cases fontshops and websites specially break the fonts to make them unacceptable for ripping. 
    Now that is all about the first way for now…