Someone built a thing called Ghost Font and it's worth five minutes of your time. It hides a message inside a video. Every frame on its own is just dots. You can only read the words while the dots are moving, which your eye handles fine and a model doesn't. The author tried it on the current frontier models. They mostly failed. One of them thought about it for nineteen minutes and then made up a message that wasn't there.
It's from the team at Mixfont, who otherwise do font generation and font recognition tooling, so this is them poking at the edge of their own field.
Back in 2013 a designer called Sang Mun, who used to contract for the NSA, released a typeface called ZXX. Six cuts, four of them deliberately mangled: letters under camo patterns, letters with an X struck through them, letters sitting underneath a bigger fake letter. The idea was that OCR couldn't read it but you could. The press ran with it and called it surveillance-proof.
It took about a decade for that to stop being true. Paste ZXX into any multimodal model today and it reads it straight back, small print included.
Worth remembering that the security people didn't buy it even then. Ross Anderson at Cambridge called it privacy theatre in 2013 and said the fonts could probably be broken. Matthew Green made a similar point: to a scanner, a weird looking A is just another shape, and shapes are what these systems are built to sort. They were right. It just took ten years for the hardware to catch up to the criticism.
Here's what I actually liked about Ghost Font, and it isn't the part that gets the attention.
Motion works today only because current multimodal models chop video into stills and look at the stills. That's an implementation detail, not a law. Give an agent a terminal and it can diff the frames, track the dots, and pull the message out with fairly ordinary code. Any of us could write that in an afternoon.
So Ghost Font does something else. It plants a decoy message in every video. The agent goes hunting, finds the decoy, decides it's solved the problem, and reports back with confidence. The real message sits there untouched.
That's the actual trick, and it's a good one, because it isn't attacking the model's eyes. It's attacking the model's willingness to stop looking. Anyone who has watched an agent declare a task complete two steps early will recognise the failure mode immediately. It's the same bug, weaponised.
Because most of what I see teams doing to keep bots and scrapers out is the same bet in a different costume.
Obfuscated markup so the class names change every deploy. Prices baked into images so they can't be lifted. CAPTCHA. Honeypot fields. Text rendered to canvas. Every one of these assumes the machine perceives worse than a person does. That assumption has been quietly eroding for fifteen years and there is no version of the next five where it reverses.
The Ghost Font author says the same thing in his own post: if you actually need to hide something, encrypt it. A key doesn't care how clever the reader gets. A perception gap does. Everything that depends on a perception gap is on a clock, and you don't get to see the clock.
None of which makes it useless. It just means you have to file it correctly.
Obfuscation is a tax, not a wall. It makes attacks more expensive. That's a completely legitimate goal when what you're actually fighting is volume rather than one determined adversary who wants your data specifically. Most scraping is volume. Most credential stuffing is volume. Most form spam is volume. You don't need to stop it, you need to make it not worth the compute.
Ghost Font as a CAPTCHA replacement is a decent idea for exactly that reason. It doesn't need to be unbreakable. It needs to be expensive enough per attempt that mass solving stops penciling out. Same logic as proof of work, same logic as rate limiting, same logic as making someone verify an email before they can post.
The mistake is filing the tax under "secured" on your risk register. If your protection dies the day a video-native model ships, and one will, then it's a running cost with an expiry date, not a control. Budget it that way. Review it that way. And don't put anything behind it that you'd be in real trouble over if it leaked.
The practical version of this, in my experience, is boring. Rate limits and quotas on the API, because they degrade gracefully. Auth on anything sensitive, because a key holds regardless of what's reading. Real encryption for anything you genuinely need private. Then obfuscation on top as a speed bump, sized to the effort it's actually worth, and reviewed once a year with the assumption that it's already broken.
The author makes one more admission that stuck with me. Ghost Font is hard for AI to read, but it's also fairly hard for humans to read. That's the whole product, right there, in the gap between what your eye can do and what a model can do.
That gap is closing from both ends. It's worth watching, because a surprising amount of what we build quietly assumes it stays open.