I've been writing about QR codes since 2007 - long before they were fashionable. Because QR Codes are so cheap to produce, there has always been a concern that attackers might print out their own codes and stick them over legitimate ones. When I first wrote about QR Hijacking in 2011, I said that such attacks were usually easy to spot: Recently, a new wave of QR Hijacking attacks have been reported in Bournemouth: A further warning about fake QR codes on parking ticket machines has been…
Continue reading →
I needed a way to generate a TOTP secret using a fairly locked-down Mac. No Brew. No NPM. No Python. No Prolog, COBOL, or FORTRAN. No Internet connection. Just whatever software is native to MacOS. As I've mentioned before, the TOTP specification is a stagnant wasteland. But it does have this to say about the secret: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The Base32 alphabet is pretty simple. The upper-case letters A - Z, and the numbers 3 - …
Continue reading →
Not really a security issue, but one which I thought was worth highlighting. It shows the peril of slightly vague specifications. When you scan a 2FA token into your authenticator app via QR code, you get presented with a bunch of information about your account. This lets you store things like the issuer and the account name. I recently scanned a code, and it displayed my name as Terence+Eden. Which was a bit weird. Try it yourself: Checking the raw output of the code, shows the…
Continue reading →
Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation from Yubico which is mostly a copy of the Google wiki with some incompatible tweaks. The Internet Initiative Japan has a subtly different spec which includes an icon parameter…
Continue reading →
Search back through this blog and you'll find dozens of posts about QR codes. Back in the day, I was a freelance "Mobile Internet" consultant. I'd rock up to companies and say "you know you can get the Web on your phone, right? It's going to be the next big thing!" And people would pay me handsomely for that advice. I'd also talk about apps - "You don't need one, but if you're going to develop one, here's what you need to know." It was like pushing on an open door. My final pitch was…
Continue reading →
It's possible to encode QR images as text. In this case, Emoji! (more…) …
Continue reading →
One of the greatest cultural achievements of the last Labour Government was making museum entry free for everyone. Whether you're rich, poor, British, foreign, young, old - you can enjoy the treasures of our museums and galleries. Of course, while museums are funded by the state, they still rely on generating some external revenue - hence the ubiquitous gift shop and major corporate donations. In the front of most museums, you'll find a vessel for collecting donations. Usually half full…
Continue reading →
There are plenty of QR generators which will render the code in ASCII, but I wanted to try something a little different. Is it possible to hide ASCII Art into QR Codes? Errr.... yes... It's pretty damn simple! I was surprised I couldn't find anyone else doing this. (_/) (='.'=) (")_(") Becomes: Which, when scanned, renders as: Now, there are limits as to what you can put into a QR code - about 4,000 characters. Different devices have different screen widths, which limits the…
Continue reading →
This is a necropost - resurrected from the now defunct blog of a previous employer. Sadly, the follow-up post has fallen down the memory hole. You can still read Sharon's response to it. Well, we can finally unwrap one of the little projects The Lab has been working on. Along with the Department of Energy and Climate Change we're aiming to stick QR codes on customers' energy bills. The proposal has the grand name of: "A consultation on proposals to amend domestic energy supply licence…
Continue reading →
I'm a big fan of QR codes. A few years ago, I did some work for a major UK retailer who wanted to put QR codes on some of their DIY products. Rather than ship expensive instructions with each item, there would be a QR code on the packaging which linked directly to a video explaining how to use whatever it was you'd just purchased. The idea was a success and is now helping them cut costs - even in their after-sales service. It's always nice when other companies imitate your success - and…
Continue reading →
Three years ago, I wrote about the deficiencies in Microsoft's Tag system. It was painfully obvious even then that MS had no desire to back the "standard" they'd tried to create. They couldn't even be bothered to leverage the then-new Windows Phone to get the reader into customers' hands. Their terms and conditions at the time said We will also use commercially reasonable efforts to make these basic features available until at least January 1, 2015, and provide two years prior notice before …
Continue reading →
BitCoin and other crypto-currencies are gaining popularity at the moment - but I remain firmly convinced that they're too hard for the average person to use. I have, however, watched with interest as an ecosystem grows around them. In particular, I like the way The Pirate Bay (and others) have used QR codes to facilitate easy payments and donations. The QR codes contain only three variables - the payment method (BitCoin), the destination, and a message. As this is a donation there is no…
Continue reading →
