I've been thinking about fun little artistic things to do with QR codes. What if each individual pixel were a QR code? There's two fundamental problems with that idea. Firstly, a QR code needs whitespace around it in order to be scanned properly. So I focussed on the top left positional marker. There's plenty of whitespace there. Secondly, because QR codes contain a lot of white pixels inside them, scaling down the code usually results in a grey square - which is unlikely to be recognised…
Continue reading →
Take a look at these two QR codes. Scan them if you like, I promise there's nothing dodgy in them. Left is upper-case HTTPS://EDENT.TEL/ and right is lower-case https://edent.tel/ You can clearly see that the one on the left is a "smaller" QR as it has fewer bits of data in it. Both go to the same URl, the only difference is the casing. What's going on? Your first thought might be that there's a different level of error-correction. QR codes can have increasing levels of redundancy i…
Continue reading →
I've been writing about QR codes since 2007 - long before they were fashionable. Because QR Codes are so cheap to produce, there has always been a concern that attackers might print out their own codes and stick them over legitimate ones. When I first wrote about QR Hijacking in 2011, I said that such attacks were usually easy to spot: Recently, a new wave of QR Hijacking attacks have been reported in Bournemouth: A further warning about fake QR codes on parking ticket machines has been…
Continue reading →
I needed a way to generate a TOTP secret using a fairly locked-down Mac. No Brew. No NPM. No Python. No Prolog, COBOL, or FORTRAN. No Internet connection. Just whatever software is native to MacOS. As I've mentioned before, the TOTP specification is a stagnant wasteland. But it does have this to say about the secret: The secret parameter is an arbitrary key value encoded in Base32 according to RFC 3548. The Base32 alphabet is pretty simple. The upper-case letters A - Z, and the numbers 3 - …
Continue reading →
Not really a security issue, but one which I thought was worth highlighting. It shows the peril of slightly vague specifications. When you scan a 2FA token into your authenticator app via QR code, you get presented with a bunch of information about your account. This lets you store things like the issuer and the account name. I recently scanned a code, and it displayed my name as Terence+Eden. Which was a bit weird. Try it yourself: Checking the raw output of the code, shows the…
Continue reading →
Yes yes, Cunningham's law etc etc! I want to play around with 2FA codes. So, I started looking for the specification. Turns out, there isn't one. Not really. IANA has a provisional registration - but no spec. It links to an archived Google Wiki which, as we'll come on to, isn't sufficient. There's some documentation from Yubico which is mostly a copy of the Google wiki with some incompatible tweaks. The Internet Initiative Japan has a subtly different spec which includes an icon parameter…
Continue reading →
Search back through this blog and you'll find dozens of posts about QR codes. Back in the day, I was a freelance "Mobile Internet" consultant. I'd rock up to companies and say "you know you can get the Web on your phone, right? It's going to be the next big thing!" And people would pay me handsomely for that advice. I'd also talk about apps - "You don't need one, but if you're going to develop one, here's what you need to know." It was like pushing on an open door. My final pitch was…
Continue reading →
It's possible to encode QR images as text. In this case, Emoji! (more…) …
Continue reading →
One of the greatest cultural achievements of the last Labour Government was making museum entry free for everyone. Whether you're rich, poor, British, foreign, young, old - you can enjoy the treasures of our museums and galleries. Of course, while museums are funded by the state, they still rely on generating some external revenue - hence the ubiquitous gift shop and major corporate donations. In the front of most museums, you'll find a vessel for collecting donations. Usually half full…
Continue reading →
There are plenty of QR generators which will render the code in ASCII, but I wanted to try something a little different. Is it possible to hide ASCII Art into QR Codes? Errr.... yes... It's pretty damn simple! I was surprised I couldn't find anyone else doing this. (_/) (='.'=) (")_(") Becomes: Which, when scanned, renders as: Now, there are limits as to what you can put into a QR code - about 4,000 characters. Different devices have different screen widths, which limits the…
Continue reading →
This is a necropost - resurrected from the now defunct blog of a previous employer. Sadly, the follow-up post has fallen down the memory hole. You can still read Sharon's response to it. Well, we can finally unwrap one of the little projects The Lab has been working on. Along with the Department of Energy and Climate Change we're aiming to stick QR codes on customers' energy bills. The proposal has the grand name of: "A consultation on proposals to amend domestic energy supply licence…
Continue reading →
I'm a big fan of QR codes. A few years ago, I did some work for a major UK retailer who wanted to put QR codes on some of their DIY products. Rather than ship expensive instructions with each item, there would be a QR code on the packaging which linked directly to a video explaining how to use whatever it was you'd just purchased. The idea was a success and is now helping them cut costs - even in their after-sales service. It's always nice when other companies imitate your success - and…
Continue reading →
