Malicious QR Code Use On the Rise

New submitter EliSowash writes "Malware developers are increasingly using QR Codes as an attack vector. 'The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it." There's no way to tell what is behind that QR code.' The advice we've always given to the computer user community is 'don't click a link in an email if you don't know who it's from or where it goes' — so how do we protect unsuspecting users from QR codes, where you can't see the destination at all?"

Just like with TinyURL...

[dotancohen]

Use a service that will decode it for you. With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes. At least with QR the code can be decoded locally, with software that you trust.

Re:Just like with TinyURL...

[SQLGuru]

I've never used a QR code reader that auto-navigated to a link. The ones I use will display the content/data....and if it's a URL, will show the URL as a hyperlink. It's up to me to click it. This includes the QR code reader built on my phone.

I don't think I would want a reader that worked any other way. Especially considering that the QR code can contain more than just a link.

Re:

[Surt]

You install firefox mobile and an expander?

Re:

[SQLGuru]

Clipboard and the + sign?

http://security.thejoshmeister.com/2009/04/how-to-preview-shortened-urls-tinyurl.html [thejoshmeister.com]

Or, you know, don't click it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[EvilIdler]

QR codes are a handy way to grab some URL for a site quickly rather than typing it into your phone, or taking a picture of the URL. I've seen them at the local game stores for information on new and upcoming games. Some people might not have Internet access right then and there - me included. I bring an iPod touch everywhere, QR app ready. It's especially nice when you forget the name of the product the moment you walk out the door :)

I guess they're handy for Android software installation, too. Buy stuff,

Re:

[slapout]

I have a Firefox extension installed that will popup a qr code of the current url. I can then scan it with my phone to pull that website up on my phone.

Re:Just like with TinyURL...

[bmo]

>With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

That is why God made preview.tinyurl.com

--
BMO

Re:Just like with TinyURL...

[jhoegl]

I made no such thing mere mortal!

Re:Just like with TinyURL...

[GIL_Dude]

For Chrome users, the LinkPeelr extension works well to pre-decode links for you in a little tooltip window. I've been using it for quite some time and it seems to work pretty well. Saves your from many a rickrolling or goase link. Although I guess when people bounce them through several layers of link shortener it doesn't work for that.

Re:

[dotancohen]

That is why God made preview.tinyurl.com

--
BMO

1) That wasn't God, that was a computer programmer.

2) You still have to trust TinyURL. If TinyURL is compromised or malicious, then I am at risk or blocked. TinyURL is a US company, so it someone uses a TinyURL to point to a Syrian website, I might not be able to get through. Likewise, if TinyURL itself is hacked, I am vulnerable.

Re:

[bcmm]

Supposed the website you were trying to access was hacked?

Re:

[dotancohen]

Supposed the website you were trying to access was hacked?

Exactly. Under the understanding that all web services are vulnerable, using TinyURL just doubled the chances that the user will be exposed to an attack vector.

Re:

[bmo]

>using TinyURL just doubled the chances that the user will be exposed to an attack vector.

I'm calling bullshit. I'm not saying that preview.tinyurl.com is bulletproof, but over the years they have demonstrated competence in keeping the bad people out of their servers.

Yes they are a target.

But claiming that they cannot be trusted because of some theoretical threat means that you have an agenda bordering on libel. You owe them an apology, sir.

--
BMO

Re:

[icebraining]

My personal God is a computer programmer, you insensitive clod!

(If you don't trust TinyURL, then don't even load the preview. The point is that a QRCode by itself shouldn't be able to do anything, since you can always see the URL it points to, at least with any decent reader)

Re:

[dotancohen]

My personal God is a computer programmer, you insensitive clod!

Jesus built my car. It's a love affair. Mainly Jesus, and my hot rod.

If you don't trust TinyURL, then don't even load the preview. The point is that a QRCode by itself shouldn't be able to do anything, since you can always see the URL it points to, at least with any decent reader

That is exactly my point. Always look at the URL before going any further.

Re:

[inject_hotmail.com]

Jesus built my car. It's a love affair. Mainly Jesus, and my hot rod.

I bet. So you must be intimately aware that he was an architect previous to his career as a profit...and that Jerry Lee Lewis is the devil...btw

Re:

[ToasterMonkey]

>With TinyURL you are really in a bind as you must trust TinyURL itself to discover where the link goes.

That is why God made preview.tinyurl.com

So your God will ensure people with malicious intent will always use a URL shortener with a preview function? Sounds like a nice guy.

Re:

[allo]

tinyurl.com/bla -> preview.tinyurl.com/bla. Much easier, because it even works without cookies

Re:

[bmo]

I don't know what, exactly, your fixation is on me, but I am flattered that I have my own little pet stalker on Slashdot.

--
BMO
Boyle M. Owl
George L. Tirebiter
Hemlock Stones
among many other names.

Re:Just like with TinyURL...

[Fez]

Which is where LongURL [longurl.org] comes in handy, it can show you every redirect taken and what the final destination of a short link is, including when they try to be sneaky and redirect after the "bad" page to something like google.

Re:

[dotancohen]

Where did we go wrong that we ended up with software so fragile that you can't safely open just any document?

Doctors need degrees to practice. Lawyers need degrees to practice. Mechanical and Electrical engineers need degrees to practice. But anyone can write software.

Does anyone have a QR code to a Rick Roll?

[Nadaka]

Does anyone have a QR code to a Rick Roll?

Re:Does anyone have a QR code to a Rick Roll?

[g0bshiTe]

I do, but I'm never gonna give it up.

Re:

[Anonymous Coward]

Google has an API to create one on the fly. Use this base URL and append any URL you want to the end and you've got a QR code.

https://chart.googleapis.com/chart?cht=qr&chs=200x200&chl= [googleapis.com]

Just add a youtube link to the video and viola.

Re:

[Anonymous Coward]

I just had a great idea for a prank on local billboard advertisements that have QR codes.

Re:

[smart_ass]

Google Chrome has an extension to create QR Codes from any link on a page.

With this I set one of my Avatars as a QR code that takes you to "Let me Google that for you" and then searches:

      Curiosity killed the cat

Hehehe

Re:

[AftanGustur]

Does anyone have a QR code to a Rick Roll?

Here you go, sir!/A? [imgur.com]

Some scan apps can show URL and ask first

[DaphneDiane]

The QR scanner app [apple.com] that I use has an option to show the URL before going to it which seems like a good approach, though it's not on by default. Seems like having the a such an option be the default would be a good first step, perhaps with a straight through exception for sites already visited.

Re:Some scan apps can show URL and ask first

[blackraven14250]

The one on Android marketplace (also the particular one that many apps are linked into) does show the link by default, but that still doesn't necessarily help the person using the scanner, who may be completely clueless that they're about to head into a random foreign domain.

Re:Some scan apps can show URL and ask first

[Yvan256]

Sure, the morans will click the links but what about the morons?

Re:

[LordLimecat]

Potential whoosh detected....

Re:

[Jarik C-Bol]

here's the thing, I scanned a QR from the back of a package of starbucks coffee beans today. the link? something like http://vjghhtv.com/qwertvmlghjg [vjghhtv.com]. took me to a special mobile version of starbucks site. If Legit QR codes are using garglemesh URL's, people are just going to click through, even with preview, because they always do.

Just like evil hyperlinks

[LikwidCirkel]

This just in:
Clicking a hyperlink may result in being directed to a malicious site.

Considering 99% of uses don't check the URL of hyperlinks, I'm not sure how QR codes are any different... they're just physical hyperlinks for camera phones.

Re:Just like evil hyperlinks

[gstrickler]

We should all sue BT, after all, they claim they invented the hyperlink [slashdot.org], therefore, they should be liable for the damages of malicious hyperlinks. My theory is based upon the premise that the most effective way to fight abuse of the legal system is to use it against the abusers thereby costing them billions of dollars. Call it an "economic sanction".

Re:

[crymeph0]

Absolutely, this is no different than before - if you see a URL spray-painted on the side of a building, would you type it in without up-to-date antivirus?

Re:

[sunderland56]

In other news: some people have such crappy security that they are actually *afraid* of going to random links.

Re:

[Macthorpe]

QR Droid (and I think Google Goggles) do show you the URL before you go there, at least on my Sensation.

Re:

[Surt]

New vulnerabilities for IE9 show up pretty much weekly. If you're browsing in the month-long vulnerability window you can get arbitrary code execution happening on your system.

Not a very new problem.

[cmv1087]

http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Fuzzums]

I sort of knew about the + but I forgot. I found http://bit.ly/vB0EIH [bit.ly] with google.
Probably there are identical services for other shorteners.

Re:Not a very new problem.

[Cobol God]

http://bit.ly/rCBPp7 [bit.ly] You don't know where that link goes until you click it. So, what do you do?

https://addons.mozilla.org/en-US/firefox/addon/bitly-preview/ [mozilla.org]

Shows full URL. Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

Re:Not a very new problem.

[YrWrstNtmr]

Rule 1 don't click on URLs to unknown websites ESPECIALLY at work! :)

We have this woman at work that does that. One day, I happened to be helping her with something. She was googling around, and the second link was www.foo.bar.cn. It was kinda what she was looking for, and before I could say 'No', she clicked it. It was blocked by the proxy.

"Um...you probably don't want to go there."
'Why not?'
"It's some random site in China"
'How do you know?'
"ummm...the CN at the end = China"
'Oh, I never pay attention to that'
"Well, seeing as you're on a DoD computer and network, you might want to start paying attention to that stuff"

or with Greasemonkey

[KingAlanI]

http://userscripts.org/scripts/show/40582 [userscripts.org]
I use this Greasemonkey script for similar reasons.
It works on shorteners in addition to bit.ly and displays the real URL automatically

Re:

[eastlight_jim]

As per the post above, you can use longurl.org [longurl.org] to see where it goes (in this case, here) without ever clicking on it. I'd not seen the service before but can see how it would be handy in situations like this where you are unsure whether to trust the link.

Re:

[Surt]

I install a link expander for my browser.

Re:

[icebraining]

I'd like to know where you get your data from; I don't have any, but from my anecdotal experience, 90% of people don't even think twice before clicking on any link. Which would be irrelevant anyway, since they aren't knowledgeable enough to assess whether a website is dangerous or not by its URL.

Good thing no ones using them anyway

[shawn(at)fsu]

Didn't we talk about this before? [cnn.com]
So I guess my point is. Who cares?

QR codes don't all have destinations

[icebike]

You can do a lot with QR codes that have no destination at all, they are not restricted to web links. [qrstuff.com]
They can be simple text messages, address book entries, phone numbers, wifi network set up instructions, calendar events, etc.

But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect
the content visually before acting on it. They ask if you want to proceed.

Of course one could argue the click-thru generation does not know enough to evaluate the content, but then
these are the same people that no amount of malware/antivirus software can protect. They do the same with
links in email links.

Re:

[cras]

But every implementation I've seen of a QR code reader in Android and IOS also gives you the option to inspect the content visually before acting on it. They ask if you want to proceed.

Of course one could argue the click-thru generation does not know enough to evaluate the content, but then these are the same people that no amount of malware/antivirus software can protect.

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

Re:

[icebike]

Is the confirmation something like OK/Cancel? I also tend to click OK buttons without hardly even reading them. That's why potentially security sensitive questions shouldn't have such simple buttons, but rather two (radio?) buttons that require you to read (and hopefully understand) what you're doing, such as: "Replace network settings from QR" and "Keep the existing network settings".

It varies by implementation of course, but most offer a choice of actions depending on the type of QR code.
For instance, with the android version I am running right now, a simple Vcard via QR code, offers me a choice of add to address book, call number, sms number, etc.
Additionally there is the normal "Back" button which does nothing.

Re:

[cras]

I kinda did in my next sentence, but whatever..

Re:

[stesch]

I've searched for some time until I found a QR code scanner for iOS that does show me the URL first. There aren't many of them, I'll tell you. :-( The 6th was the right one, after I asked on Twitter, Reddit, a mobile phone newsgroup, and a Mac newsgroup. Qrafter is the name.

Re:

[icebike]

The first to market for IOS was RedLaser. It always asks.

Re:

[stesch]

I bought my iPhone this December and the high rated Apps (even searched the web for lists of QR scanners) never ask. Maybe they were first, but finding anything via the iPhone is tedious. It's better on the iPad, but I can't try 10 or 20 Apps for just one feature.

As for RedLaser: I think I've avoided it because of the company name "eBay Inc."

Re:

[Jarik C-Bol]

one called 'scan' can be set to ask first as well.

Re:

[stesch]

That's the second time today I read about it, but there's no preferences option in this App. Do I have to tripple tap it with four fingers?

Scan is the first QR code scanner I installed on my iPad and later on my iPhone. There is nothing to change any options.

I look again: There's just the History

ARGHL! THERE IT IS! The settings are hidden on the history page!? WTF?

Re:

[garyebickford]

Hmm. Is QR Turing complete?

Re:

[pjt33]

No more so than ASCII.

Re:

[bhtooefr]

There actually is a way - the same way that iOS avoids malware installation.

The problem is, it's whitelisting.

Re:

[icebike]

There actually is a way - the same way that iOS avoids malware installation.

The problem is, it's whitelisting.

Not really practical.

Look, QR codes are meant to convey information, just like a note pad, or tablet. Who whitelists what you write on the back of your business card?

What if I want to give you my Vcard on my phone via a QR code so you can scan it to add me to your contacts, who becomes the whitelisting authority? Do I have to first appeal to Apple to be able to display a contact as a QR code?

All QR codes do not go to websites. Its just a method of writing, not a central clearing house.

URL Shortening

[theArtificial]

This won't deter people, look at the popularity of URL shortening services for a reference. It's a tool and it has a potential for misuse. People are assholes, story at 11.

Did anybody expect anything different ?

[nomad63]

I mean, it was just another way to exploit the trust of unsuspecting and most of the time, non-internet-savvy public, armed with the gizmo of the day, called smartphones. What could possibly go wrong ? It is just like giving a loaded gun to the hands of a adolescent child with raging hormones and telling him or her just shoot people who are really-really bad and nobody else. You are just trusting the judgment of totally untrustable person. If you expect a better outcome than this, good luck to you.
The probl

Shock Value

[DigitalGodBoy]

A while back, a friend of mine at a university printed up several dozen flyers with a QR code pointing to LemonParty and posted them around campus. Hilarity ensued as he took pictures of people's reactions as they scanned them.

Sandboxing

[mark-t]

How hard is it to sandbox a visit to a URL? Malicious or not, nothing is going to get out if the sandbox is properly designed... and it's not like it's hard to do, it just requires a bit of forethought and planning.

http://en.wikipedia.org/wiki/QR_code

[Anonymous Coward]

Submitter EliSowash, editor Soulskill; please, when you folks put together summaries in the future...

...link things like QR code [wikipedia.org]; don't expect us to know all abbreviations out there.

"Summary" means..

[Feyshtey]

If the summaries include descriptions of all possible acronyms or phrases included in the discussion, it's not really a summary is it?

http://lmgtfy.com/?q=QR+Code [lmgtfy.com]

What counts as "malicious site"?

[Hentes]

"In the simplest of terms, a QR code is a 2D barcode that can store data which can then be read by smart phone users. The data is an easy way to direct a user to a particular website with a simple scan of the QR code, but it could also just as easily be a link to a malicious website."

If visiting a "malicious site" can harm your phone, switch to a secure browser. Unless you are locked into Safari, then you are screwed.

You can't see the destination at all?

[Fuzzums]

How... about.... using... an other QR reader that shows the destination first???
Still you don't know if you can trust the link, but at least you know where you're going.

Another one

[ceoyoyo]

Hey, another Slashdot summary ended with a forecast of impending doom disguised as a handwringing question, written by someone who doesn't know what he's talking about.

QR codes are a method for encoding text. If your decoder does stupid stuff (like visit links automatically) with that decoded text then get a different decoder.

Forget QR codes, most links on the web are quadruple encoded! They're sent to you in binary (of all things). When you turn that back into decimal you end up with ASCII code (!) and

I know, add a Captcha!

[sl4shd0rk]

Users don't want protection, they want simplicity. As soon as you try to secure something it makes things "hard" and they go back to doing insecure things for the sake of simplicity, or, they just don't use it at all.

The simple login/pass texfield on a webpage is a great example. It used to be easy and simple but now every one of them has some form of a super-secure captcha that is so secure the human eye cannot even discern it. A simple thing has been bastardized to the point it's to frustrating to use.

May

Where's the OCR?

[Doc Ruby]

I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead? Maybe a standard font that's easy for OCR to read, like that MICR [wikipedia.org] font they invented for check numbering in the 1960s. Maybe at first the phone just sends the image up to a server, for 3D->2D reformation and reading. But it would eliminate this problem.

And also the IDN homograph attack [wikipedia.org] that will surely become more widespread with the increase in Unicode in the Web and gradually in URLs. Your phone would be set to decode the URLs as your home character set, that you recognize, for opening as a URL - not the arbitrary URL composed of the similar looking but different valued Unicode characters.

WYSIWYG URLs. An idea whose time has come.

Re:

[benjamindees]

The obvious answer is that QR codes are useful to scan something with crappy resolution, like a phone display, using something with crappy resolution, like a phone camera, and to process it in real-time using something with crappy computing power, like a phone cpu. The fact that it works at all is really kind of amazing.

Re:

[Doc Ruby]

Phone displays and cameras are routinely in the megapixel range. As I pointed out, the image can be processed at the server. I don't see why practically every smartphone, and most featurephones, can't do the OCR.

Re:

[mdmkolbe]

Yes! Please! So many QR codes are in-place-of rather than in-addition-to a human-readable URL. If I don't have my phone with me or don't want to bother digging it out of my pocket (or don't even have a QR-enabled phone), then the QR code is just obfuscation.

Smart people will always include a human-readable URL next to the QR code, but given that most QR designers evidently aren't smart enough for that, I'll settle for a human-readable QR.

Re:

[sco08y]

I don't understand why QR codes are needed. Why can't the camera use Optical Character Recognition (OCR) instead?

Okay, a QR code can transmit up to a kilobyte of data, with error correction, even with blurring. But you can't read it.

A typical MICR code is a roughly 10 digit account or routing number, and it's typical use case is it's printed on a check that has information indicating which way is up, and is scanned by a machine with a fixed lens.

Even with an OCR font, any blurring makes features run together, so you have to get the focal length just right. The MICR fonts only handle numerals; many English glyphs are h

Re:

[Carnildo]

QR codes have the benefits of a higher information density and significant error checking/correction ability. MICR has an error rate of 1 per 100,000 characters, which works out to about one error per thousand URLs scanned. QR codes have an error rate of essentially zero: the ECC information means that when a scan error occurs, it either gets corrected or reported.

Re:

[Doc Ruby]

As I pointed out, there are letters designed to be read by both humans and machines, which reduces the malicious QR code use we're discussing.

Hey buddy,

[Karellen]

The big problem is that the QR code to a human being is nothing more than "that little square with a bunch of strange blocks in it."

Are you sure? Wanna try some Snow Crash?

QR codes are more hassle than typing the URL

[FoolishOwl]

As far as I've been able to make out, while QR codes have different possible applications, the only application for which I've ever seen them used is for encoding URLs in posted advertisements. And in every case, the URL was printed adjacent to the QR code block, and usually was short and obvious, e.g., on a poster for www.example.com, there's the URL, http://www.example.com/ [example.com] and a QR code, that when scanned and translated, presents the URL, http://www.example.com/ [example.com]. Since I'd have to take a photo of the QR

QR codes are a bad idea

[msobkow]

If you can't read the link to know where it leads, how can you possibly avoid phishing attacks with a QR code? This technology is a wet dream for spammers and malware authors! They can send you anywhere, and you can't even see where they're sending you.

URL shortening services are bad enough. I disagree with posting shortened URLs except in a twitter feed.

content vs code

[Sloppy]

how do we protect unsuspecting users from QR codes, where you can't see the destination at all?

By having clicking links never be dangerous or risky.

I don't know about you, but when I load a web page, I expect my browser to display a web page, not download and execute foreign code, nor run that code as with my permissions.

The old advice of "don't click a link if you don't know where it goes" was stupid. Not stupid in the sense that it shouldn't be heeded, but that it was an acknowledgement that peoples' bro

No more dangerous than URL shortening services

[kobotronic]

Depending on how your phone scanner app is configured, QR code URL content may be shown on the screen as a link you can choose whether or not to open. But the links are often shortened so as to make for a smaller or less dense QR code box. And that puts this "risk" in the same category and amount as following any other bit.ly "mystery meat" link that resolves on the redirect service in a redirect to the real destination.

If your browser is built like shit and visiting a "maliciously constructed" webpage can cause code execution on your system, well that's still not a problem with the QR code technology.

QR is vulnerable to "spoofing" in the sense that for example a printed advert with a link on it to download an endorsed phone app - could with a cheaply produced sticker placed over the legitimate code become corrupted so the new code points to some other app. With Android's allowance for un-regulated third-party app installations, there is some concern there that this could lead to unwitting users downloading and installing a malicious app that masquerades as the endorsed, legitimate one.

The solution here could be to extend the established Android app signing system to have an "advisory" service that ranks the credibility of the individual app signing developers and publishers and as part of the app installation process can give you a heads-up hey wait a minute this app publisher has a strongly negative trust ranking maybe you shouldn't install it.

I want nothing like Apple's walled garden, but a voluntary model where you can get a "green seal" as a trustworthy app publisher and specifically trusted apps, might go a long way.

Re:

[QuasiSteve]

Which doesn't help all that much if the URL itself is from some link shortening service (so you still don't know what it is) - and the URL shortened is... to another link shortening service (so the first URL shortening service's preview of the page is just that of the other service).

Of course at that point it's probably wise not to follow the link anyway.

Re:

[hedwards]

True, ultimately the solution to this is going to involve ceasing the abuse of URLs. They were never intended to contain so much session data and such as they do now. The fact that I often times can't read the URL is a pretty clear indication that there are troubles ahead.

Re:

[Yvan256]

That's because lazy coders put parameters as part of their URLs instead of using something like mod_rewrite to use real, human-readable paths.

http://www.website.com/?page=423&l=en [website.com]
vs
http://www.website.com/en/products/ [website.com]

Re:

[hedwards]

They're extremely useful though. Given that QR codes are ultimately text, there really should be a preview of what you're about to execute. Just a simple text preview of the information embedded in the code.

Re:

[CapOblivious2010]

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.

Re:

[LordLimecat]

And given how many exploits are propgated by ads and server hacks of well trusted sites (facebook, drudge, etc, have all been sources of ad-viruses), it gives a false sense of security. Ive had many a user convinced that they could never get a virus because of the sites they visited; they got one, and browser history showed facebook, and I had to explain how virus distribution works to them.

Best way to set your users free from having to think about such things: uninstall Java JRE, uninstall Acrobat reader

Re:

[NFN_NLN]

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.

It isn't always a browser vulnerability being exploited. For instance, meatspin.com is perfectly safe to browse as it only corrupts your brain.

Re:Well...

[ToasterMonkey]

Something's fundamentally wrong, though, if you can't click on a random link. OK, maybe there's a browser vulnerability from time to time, and given how many there have been, clicking on random links (especially on the seedier side of the web) might not be the smartest thing you can do - but if end users are supposed to have to worry about clicking on a link, then we (the techies) are letting them down big time.

Imagine being at the book store with your children, family, friends, etc. and thumbing though magazines to pass away the time. Now I know a streaker could AT ANY TIME run through the place and just wreck the friendly atmosphere, but he would be kicked out, and aside from that you wouldn't expect to randomly turn a magazine page to child porn, a rick roll, snuff film, man's stretched asshole, or other obscenity, unless you went to a place that sold those things.

Is it wrong to want little sanctuaries like that? I could go to another bookstore if I wanted, but I don't like sipping coffee with a book next to a rack of dildos. A little discretion, that's what people want. You can call it censorship or whatever if you want, but people want a little of that in public places, and that's what the Internet is.

I can appreciate the Internet for what it is, a weird private-public place, I do, but it's not being treated by most like the seedy underground cesspool it really is, and that bugs me. You SHOULD worry about clicking on a link - it was designed that way. It is analogous to the kind of physical places that make you want to take a bath after visiting. An AWESOME place for grey/black markets and all sorts of counter-culture memes. Places where you watch your back constantly, and most people rather not go.

Something IS fundamentally wrong with advocating it as a safe place for the public to do business and socialize. And we should stop laughing at people who get ripped off and abused by it. Nobody is "asking for" the kind of abuse you find on this network, and there is no safe alternative provided.

Re:

[icebraining]

"We"? How the fuck are "we" responsible for what security vulnerabilities the browser developers - which most of "us" aren't - leave open? Should I complain to Micheal Schumacher that my Renault is running hot? After all, he's one of the "car people".

Re:

[CapOblivious2010]

erm ... so you think if your browser is safe, its totally okay to visit goatse?

OK, yes, I think there should be some reasonable expectation of "decency" (however one defines it), much as changing channels on TV might expose you to ideas you don't like but generally won't inflict goatse upon you.

But TFA isn't talking about that - it's talking about using QR codes as an ATTACK vector for malware - essentially tricking people into (virtually) clicking on links which will then perform drive-by-downloads or whatnot upon their PCs.

My point is that the very existence of drive-by-downlo

Re:

[nedlohs]

There is. And there is.

Re:

[lennier1]

Some QR codes can store over 4000 alphanumeric characters. Since these codes are used for other stuff as well (e.g., vCards on convention passes) I'm sure there's an exploit somewhere out there which one could use.

Re:

[garyebickford]

Hmm. I wonder if the standard code include processing instructions or branches. If so, the code itself could be a program to do something. I would like to see a QR code that is also a Piet [wikipedia.org] program! :D

Re:

[Toonol]

No doubt. You can put javascript in a QR code (similar to the old 'bookmarklets'). It's not common, so I'm not sure that all mobile QR readers will actually handle the javascript, but it's a possible vector.

Re:

[shawn(at)fsu]

No, no that's okay, here let me Google that for you [lmgtfy.com]

Re:

[insertwackynamehere]

How is this any different than any other situation involving links? What makes this a QR Code specific problem