On Monday, November 04, 2013 01:17:49 PM Jonathan Wilkes wrote:

On 11/04/2013 05:28 AM, phreedom@yandex.ru wrote:

...

On Sunday, November 03, 2013 04:06:11 PM Bill Woodcock wrote:

...

...

On Nov 3, 2013, at 3:30, "phreedom@yandex.ru" <phreedom@yandex.ru> wrote:

I don't see how "pasting over" a QR code in a way that's not easily detectable is somehow harder than pasting over a domain/email, or printing a real-looking fake ad and pasting it over the real one.

A QR code is already isolated in an opaque white square. It's single color, and moreover, that color is black. And it's smaller than a billboard.

By contrast, a textual URL or email address will be in a specific typeface, probably matched to the rest of the billboard. It's also likely size-matched to other text. Most importantly, it's likely printed right over a patterned and colored background.

While you're correct that you can address, to some degree, all of those issues by wheatpasting over the entire billboard, provided you're at least as competent a visual designer as the person who executed the original ad, which is easier to print and transport? A full-color billboard, or a black-on-white sheet of tabloid-sized paper?

To put this all in more practical terms, since these issues were not apparent to you, you're a less-skilled visual designer than anyone who would be paid to produce an advertisement. Therefore, you would not be capable of covertly coopting their advertisement. Yet you'd still be perfectly capable of successfully pasting over their QR code without anyone being the wiser.

I can't talk about others, but I'd be quite suspicious if I saw a second layer of paper exactly where the qr code is located. If such attacks gained momentum, I guess people would be more careful.

Now you are climbing up on a billboard and inspecting the QR code personally as a way to prove human readable addresses are a solution looking for a problem?

Can you name a specific attack which actually happened, and which involved altering an ad url in any way or posting a fake physical ad? Are we talking about something that actually exists? It's not like an ad by microsoft can't point to a legitimately-looking domain name which isn't microsoft.com eg getthefacts.com

You already mentioned the idea of domain names that aren't "as widely-known" as others. "Widely-known" is a feature-- that feature doesn't exist with QR codes so you clearly understand the issue. I'm not saying that issue cannot be solved, nor that the current domain name system is immune to exploits. But if you don't understand the benefits of human readable addresses you're likely to end up with a less secure system to replace it.

I understand also that: * these benefits exist for maybe top 100 domains * it's usual for well-known entities to use campaign-specific domain names * even if you know the entity name to be $NAME, the domain can still be $NAME.com, $NAME.org, $NAME-project.org, get$NAME.com etc The "security" of physical ads is pretty much about the cost/benefit, and that's why we don't see such attacks in the first place.

(Especially when the smartphones people must use to read the QR code in the first place are almost all locked down and not under the user's own control.)

There are gateways like tor2web.org and onion.to, and these can be encoded into the QR code for compatibility purposes since there's 1:1 mapping beween darknet and gateway urls. For all practical purposes, the DNS replacement is already available in the form of tor hidden services, tested and known to be quite reliable. The status-quo is: 1) you pay money to get a DNS record which: a) can be revoked at will by a number of entities b) requires you to identify yourself, unless you're willing to play spy games(and noone know for how much longer the loopholes will exist, see (a)) c) requires you to be able to pay, which may exclude "children" who can't get the bank account/card, residents of sanctioned countries. 2) you get a ssl cert, with MITM-by-advanced-adversary as an inherent "security feature". This also may come with random and potentially ridiculous hops to jump thru, the list is subject to change 3) wait for hours/days for payments to complete and records to propagate. Tor hidden service: 1) add 2 lines to torrc, or use vidalia to do the same 2) grab the service address from tor's dir 3) the service goes online in 5-10 minutes, with encryption and authentication always on. HTTP gateway is available for legacy platforms. Bookmarking and address book features are widely available thus making the appearance of the url itself not that important. Both client and service can opt to drop their half of the circuit, which turns it into a more or less direct tcp connection, with nat traversal capabilities. Yes there are caveats, yes tor devs are spending their effort on making tor hide users, rather than optimizing "we don't want no anonymity" use cases, but the foundation is solid. The only known issue that bothers me is that tor doesn't let you keep the root keys for the service offline. A 2-level setup would be really nice, tor devs. pretty please? For all I care, the solution has been available for several years. It works well, but I'm afraid that getting it adopted would require the current gatekeepers to step up abuses by a couple orders of magnitude. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys@stanford.edu.