Servers
Baffling barcode-on-steroids stickers plaster the EARTH
QR codes are everywhere. They have completely overrun Japan and are becoming well-established in the rest of the world as well. There are plenty of convenient uses for this technology, as well as several less carefully considered uses. QR codes were created in 1994 by Toyota subsidiary Denso Wave. There was a need for a machine- …
This topic is closed for new posts.
Hands up everyone who...
...just emailed addressdoesnotactuallyexist@theregister.co.uk.
Re: Hands up everyone who...
I was hoping the codes in the article actually contained some secret URL or message :(
Smartphone camera limitations?
Boy, you wouldn't think it here in Japan, where even the cheapest phones seem to handle v-40 QR codes without breaking a sweat -- even when (as is common) they're printed on glossy colour posters or transparent window decals. It's telling that iPhone users seem to have the most trouble -- you can spot them stopping, carefully framing, and retrying the QR codes instead of snapping them in passing like most folks with domestic phones. Methinks the US and Chinese phone manufacturers need to work on their image processing software, not on their CIS resolution!
Next stop IPv6 and home servers
Now imagine a little box containing some sort of server, perhaps part of a de-centralized social network. You plug it in, it'll boot, and display a QR-code on its display. This code contains the IP-address of the server as well as an authentication token. You photograph it with your mobile phone, set a bookmark in your browser and there you go. Alternatively you can press a button on the device to get the information in human readable form.
This would save a lot of data protection problems instantly.
What innovations will the next 18 years bring?
How about infrared or ultraviolet QR codes? Those ought to give the spy agencies lots to think about. ;-)
Dave
P.S. My QR code is the one that looks like the naked Scarlett.
Re: What innovations will the next 18 years bring?
"ultraviolet QR codes?"
That actually is a pretty neat idea. Use a UV LED to cause the pattern to fluoresce, and take the picture (without flash, of course). It would be a good way to de-uglify things, and would also make a dandy way to introduce a bit of obscurity to a link (e.g. stamp your property with the code - bad guy doesn't see it, gets busted, cops scan swag with UV light, scan code, call you.)
You could even do a real Indiana Jones moment: arrange some pattern of objects in the world that, when illuminated by the sun on a give day and time, forms the pattern. I'm surprised some artsy type hasn't done this.
Re: What innovations will the next 18 years bring?
Didn't someone do a Hello World DataMatrix code in a wheat field once already?
Re: What innovations will the next 18 years bring?
Even better, IR. Infra read is already detectable by most digital cameras. Not sure how you'd get the ink to reflect IR enough though. :/
Dumb companies
First: Used properly, QR codes are great - they are everything that the Cue-Cat should have been, but wasn't.
BUT: I've seen some stupid companies use them. I got a post-card sized item of junk mail in my mailbox (US Postal Service: about all we do now is advertising), with NOTHING but:
The company's name.
A QR Code.
That's it. No info on what these jokers do, or why I should want to scan their code. If they think I'm going to just blindly follow a link like that - they've never seen a certain Christmas Islands domain, have they?
So, what did I do? Not scan their QR code, that's for damn sure. But being a curious monkey, I searched for the company name, found out what they did (avoiding their actual web site like the plague), and decided that yes, I really didn't give a frip, and fed their missive into the shredder.
Anybody who goes around scanning random QR codes stuck to random objects by random people should be forced to live in an Amish community as an Amish person - they clearly are not ready to live in this technological world.
Re: Dumb companies
Good point. I know of one application which uses them as links to inform emergency services of specific conditions in buildings. For example, when the firemen rock up to a high-rise, then can get up-to-date information on which residents need help evacuating (sounds a bit basic, but I live in a high-rise and it is a surprisingly common problem). You still need to keep a list of the people somewhere, but keeping it on-line makes updating it easier.
emails
Personally, I think anyone with one in their email signature is a twat. But then again I think the same of anyone who spams me with more than a few lines of ASCII. I don't need to see your corporate logo, or logos for the myriad of products you claim to be an expert in. The more you put in your signature, the less I think you're actually any good at what you do.
Name. Phone number. Job title. That's all you need. I'll let you off with a small quirky quote, if you must. Anything else is twattage.
There. Said it.
"A QR code can easily contain a link to a scam or a blob of malicious binary information"
Sure, so can a printed URL.
I would argue that QR codes are no more obscure than links in email and web pages, given that many common (albeit to be avoided) email clients and browsers fail to display the full URL of the link before the user clicks on it; whereas all QR code scanners I've used display the URL and accompanying text, requiring at least token approval from the user before opening the URL.
Yes, OS manufacturers and enterprise admins need to do more to lock down permissions to sandbox or block malicious code. (In Android's case, a *lot* more.) But displaying URLs and text blocks as easy-to-read QR codes does nothing to exacerbate this problem.
Re: "A QR code can easily contain a link to a scam or a blob of malicious binary information"
I think that was meant to be read with slightly different emphasis:
"A QR code can easily contain a link to a scam, or a blob of malicious binary information".
OK, any form of URL can link to malicious content, but I think the point is that the QR code itself has enough space in it to contain a useful buffer overflow targeted at the QR software itself.
Not many people would type in a printed URL like "http://www.theregister.co.uk\n\n000000000000000000000000000000000000000000000000xdeadbeef", but a QR code neatly gives you the ability to blob that right up.
Re: "A QR code can easily contain a link to a scam or a blob of malicious binary information"
itself itself itself itself
Yes, but...
The QR code standards are refreshingly uncomplicated; and even the highest density (v.40) code is limited to a modest 4296-byte payload. This means that the possible buffer overflow vulnerabilities are fairly limited, so it's reasonably easy to implement the QR reader software to avoid internal buffer overflows and then test for such vulnerabilities. I'd be more concerned about the QR reader passing along otherwise legitimate URLs that carry out things like format string attacks to downstream clients.
But I'll reassert my position that the most critical security focus needs to be on (a) educating users about the dangers of phishing and messed-up URLs, (b) giving them tools (like displaying the link URL) to help them avoid clicking on dangerous links, (c) fixing the OS so that it doesn't automatically execute downloaded code, and (d) sandboxing downloaded code so that it can't affect the rest of the system.
Re: "A QR code can easily contain a link to a scam or a blob of malicious binary information"
I think the reason for the lack of concern is the physical limitations of the barcode. Even at maximum size it can only hold so much information, which is explicitly stated. And the code standard is pretty robust and well-defined (as in just about every possible situation is defined). Which means it would be hard to buffer overflow if the barcode can only hold so much information. An 8K buffer will hold even the biggest all-numeric QR code.
A QR-code for "42"
is what would like to stick on every QR-code I find.
Mine is the one with the cassette tapes of the Hitchhicker's Guide to the Galaxy radio plays in the pocket
Now all I have to do is make some stickers with teh equivalent of this on them:
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Just a rumour
That al-Qaeda and friends are using these to pass messages around in broad daylight.
Re: Just a rumour
How does that differ from a personals ad "Chrissy Wayne, happy 21st from Ducky" or (approximate Heinlein quote) "James N, make your will. You have 27 days to live".
Both select prearranged messages: "Chrissy Ducky" or "N 27". As old as the hills, and less breakable.
Re: Just a rumour
So, what did they mean? It's been a while since i read "Friday." Other than "some bigshot's going to get it."
Re: Just a rumour
PASSING MESSAGES AROUND IN BROAD DAYLIGHT!!!?
And what does the government do?! Asleep on the force lever, as usual!
Recursion
What about...a QR code that contained only the URL for the image of itself? Does this break the internet?
Re: Recursion
No, a QR code containing a link to https://www.google.com/search?q=google would break the internet though.
How about someone providing a solution?
I've seen them around and never used them. Seen lots of people complain. But rather than accept it as a problem, I thought I'd look for a solution.
Did not find any. :(
So, what do people want from QR codes? I'll put the idea forward to BBC 3 and their "Be Your Own Boss" show. If someone makes a QR code everyone wants to use I'm sure they will be even more of a success!
CLASSIFIED TOP SECRET MAGINOT BLUE STARS
Anyone made a decent SCORPION STARE with class IV Basilisk capability QR code yet?
The possibilities of pwning any phone that passes by is intriguing.
@wtfqrcodes
http://wtfqrcodes.com/post/19736272462/oww-my-head-via-jakedevine
Has a screenshot from a mobile phone pointing to http://www.webdigi.co.uk [1].
"This page has to be ideally opened on your laptop or desktop browser.
"Once you open this link on your computer then you will have a QR code to the URL that needs to be opened on your device.
"OK"
[1]. to name and shame
Oh the assumptions!
my phone has no camera, no g3 connection - not everyone can afford these toys... at least i won't be caught by scams and spams ^_^
IR code hack
Actually, most cameras can do this already.
Just remove the IR filter (requires edge of the seat microsurgery on camera lens) and then put a NIR LED from a camcorder etc in place of the existing white LED.
Not obvious its been done, but that 'phone is now far more useful.
Works great for low light, garden wildlife photography etc.
I tried this a while back, it works better on B/W cameras but colour ones also somewhat work.
Zapping the CCD with a focussed red DVD burner laser to blow out the green and blue filters would probably increase the sensitivity at the cost of ruining the camera for colour.
Nearly the perfect covert message system, as no-one else can see the message.
AC/DC
Denso
A good primer.
Denso is an independent Japanese car parts supplier, not a subsidiary of Toyota. http://www.globaldenso.com/en/investors/stock/index.html. Similar to Bosch in Germany.
Both at home and overseas, they have close ties to their Japanese customers - of which Toyota is the largest.
QR codes are less common in Japan than articles like this always suggest. At least for consumer applications.
I used a QR code for the first time yesterday. It was a link to an Android app I had found on my PC, and I did not want to type the URL on my phone. On-screen data transfer is another good application for this tech. It is quick and easy.
Re: Denso
I am always curious about the threshold for the concept of "subsidiary," and how it may or may not differ per culture/regulatory regime.
Denso was spun off from Toyota in 1949. It is most certainly its own distinct legal entity, but Toyota still retains a ~24% stake in the company. What's more, Denso owns shares in a number of companies itself, many of which Toyota owns a significant chunk of. The two companies cooperate on nearly every level and are completely and inextricably linked together for all practical purposes.
I’m willing to accept that subsidiary might not be the exact correct term for use in this situation. “Partner” doesn’t cover it either. The closest anglicism I can come up with is “clan member.” Separate distinct entity, but unquestionable “part of the family.”
As to “use in day to day life,” well…that seems to depend on who you talk to. My Japanese friends claimt he things are embedded everywhere. From bus route info to advertising, passport baggage claims to all sorts of other things. Where we might use a regular 3of9 barcode or some form of reference number, QR codes seem to be used there.
Maybe that is different in different areas? (And why not? Different cities would certainly have different methods of representing transit info, etc?) But overall, it seems that QR codes are simply “a fact of life” in Japan whereas they are still largely a novelty everywhere else.
Interesting to hear a different take on the matter, though!
Re: Denso
It's an interesting concept - look up keiretsu, zaibatsu or (Korean) chaebol. It's basically a business empire, where a group of companies all work with each other by preference, with suppliers, consumers, a bank or two, and distributors all linked.
Re: Denso
I'll buy that for a dollar, but am unsure how to use it. I had always heard the term applied to the parent company, as with chaebol or conglomerate. Without using the word subsidiary, how do you use kieretsu in a sentance to decribe child companies? "Denso is an independant mid-tier corporate node in the Toyota kieretsu?"
Barring XML, I don't know that axequate descriptors exist. :)
Pointless!
www.wtfqrcodes.com
Fully justifies the complete pointlessness of QR codes.
This topic is closed for new posts.
