Schneier on Security

Clive Robinson • September 20, 2025 3:11 AM

@ not important, ALL,

QR codes have less security than URLs

With regards the “Quick Response”(QR) codes they are simply a “Display / Printing technology” “for easy of machines” not humans. Because they were designed in times before security was even considered necessary in “Display technology”.

So two things apply,

1, There is NO security implicit in their design.
2, They are deliberately designed NOT to be read by humans[1].

Whilst the first also applies to URLs the second does not, in fact the opposite.

These two fundemental QR Code design issues combined actually mean,

3, QR Codes are implicitly LESS secure than human readable URLs and always will be.

If people go back on this web site they will find I was well aware of this,

“‘Human can not read’ security issue”

Decades ago.

As I’d run head first into it with “Transaction Authorisation Codes”(TACs not TANs) back before the start of this century[2] when most people had not even seen a QR Code in use.

As is normal with any new technology, QR Codes failings with regards,

“Surveillance on and security of the user.”

Whilst clear to one or two, will not be seen by the majority of humans. However they majority will see “Convenience” and it’s that which drives technology take up (not novelty or ‘keeping up with the Jetsons’).

Then after a short while of increasing use of a new technology, somebody with nefarious intent will abuse it for their personal gain at the expense or harm of others.

And once more “widely known” the increase in the abuse of a new technology generally grows at a rate greater than the that of the new technology growth increases[3].

But the real problem with QR Codes like any “Domain conversion code” is it is the equivalent of a “Transducer” that carries information objects from one physical measurement domain to another. The fundamental laws of nature say that any such process must be “inefficient”. Thus information will escape as a “side channel”. From the “redundancy” needed to carry information it logically follows that such a side channel carries information both overtly and covertly.

Consider QR Codes as not “Black and white” but “All shades of grey” unlike human eyes where the nerves have a logarithmic response, the sensors in an electronic device like a video camera tend to be designed for linear sensitivity in a given range.

The human will see the QR Code as just a pattern of “dark and light squares”. The camera however will see each small square as a value of grey. As these values can be reliably determined by the use of differential coding and forward error correction then considerably more data can be hidden in a QR Code than most would even have realised. That is each square acts not as a single bit, but the equivalent of four or five bits. Such is the fun of “covert channels”.

[1] This “can not be read by humans” was actually seen as a “security benefit” by some… This was because it was argued it would reduce “stock loss” because only authorised people with very expensive readers would be able to know what was in the shipping container / box / bag.

[2] Back last century as part of “On Line Banking” I was looking to “Authenticate the transaction” not rely on the totally insecure “authenticate the communications channel” that was easily defeated by,

2.1, “Man In The Middle”(MITM) attacks.
2.2, “Covert Side Channel”(CSC) attacks.

So I needed a reliable way to knock both issues out of the “Authenticate the transaction but make it easy for human use, to “ensure that”,

“Humans were IN the authentication loop/chain, not forced out.”

So I was looking for in effect the opposite of a QR Code, that is I wanted a,

“Difficult to read by machine, easy to read by human authentication code”

And QR Codes and similar were clearly not the solution to the “Transaction Authentication loop” issue and never will be.

[3] One of the tricks for “Lies, Damn Lies, and Statistics” misuse is to use “growth rate”. By the same notion of “The Law of small numbers”, it makes a small early change look more severe than it really is. Lets say you have a technology the number of users is increasing by 10,000 in a time period on a base of 1,000,000 users. That’s a growth of 1%. Now think about those being exploited it goes up by 2 in the same time period on a base of 4 users. That’s a growth of 50%, so it might be tempting to say “attacks are growing at 50 times that of new user take up”… Sounds like an unmanageable disaster when it’s not.

This is such an issue, that it’s actually warned about repeatedly to people involved with measurement on which predictions will be made. As a result you can find write ups on it in places you might not expect,

https://fastercapital.com/content/Law-of-Small-Numbers–The-Misleading-Tale-of-Small-Samples–Understanding-the-Law-of-Small-Numbers.html

But as we are increasingly finding out even published research papers do contain it…

Clive Robinson • September 20, 2025 8:22 AM

@ lurker, ALL,

With regards,

“Which is why I have a QRcode reader on my phone which displays to me the text contained in the code…”

Yes but what is it displaying and where did it get it from?

This is something I had to go through with one of the bods over at the UK Cambridge Labs quite a few years ago.

They had come up with an alternative to the QR Code using a diamond shaped grid of coloured four coloured dots.

As I’ve done above, I explained to them about the covert side channel of in this case slightly off coloured dots not grey scale.

I pointed out the fact it could hold several times the actual intended data, in fact enough for malware and or one or more sets of bogus data. Because the covert side channel was fully independent of the primary data channel.

And that there was little they could do security wise unless they could control the entire security eco-system. Which they could do for the devices they were planning to sell, but not for the PC etc other hardware they would provide software for. Which these days would include Smart Devices and Mobile Phones.

Thus you have a QR Code that reads and behaves normally via any reader that “IS NOT”,

“Backdoored via use of the side channel”

And can behave abnormally via a reader / application that “IS”,

“Backdoored via use of the side channel”.

With mobile phone Apps you can not tell as due to Alphabet and Apple “business practice” that at best pretends,

“They give you security via their walled garden”

Where as they actually rip off customers and developers and exert malign influence and control, as an

“Iron fist in glove of their ‘shut in markets'”.

And all hope of real security is effectively removed, and as we now know with “client side scanning” built in,

“Back dooring for the man ensured.”

Thus it really needs to be

“The human built in”

Not some “instrumented proxie” which can be subverted etc.

I kind of “hate my job here” where I indicate fundamental flaws in consumer / commercial security devices that can not be solved by the user.

Think back to how unpopular my early comments were about “Secure Message Apps” not being secure on a users system because by use of IO Driver shims etc an attacker could just bypass the security and go through the OS (now 100% backdoored by Apple and Alphabet at their OS levels with client side scanning, Brave and other browsers doing it with AI in the software, and Microsoft doing it with AI Phone Home everywhere).

Or my even earlier “don’t use JavaScript” that earn’t much ire, but in time became standard.

I’m telling,

@ALL,

“QR Codes can not be secured in convenient usage, the only way is via inconvenient use by the human being properly in the loop.”

That is the loop has to go through “air gapping” via the human to get past the necessary full segregation. With the problem that modern consumer / commercial hardware is not designed for segregation and reliable gapping (think mesh networking built into the OS for C19 “contact tracing” and similar for supposed luggage tags).

To do this you need as a minimum two or more entirely separate devices one of which is entirely segregated as you have to,

“Get the security end point cleanly beyond the reach of the communications end point.”

And worse for most people you have to type the required information across the gap your self… Which is not at all “convenient”.

Clive Robinson • September 21, 2025 10:33 AM

@ Bruce, ALL,

DEA bug in credit card…

https://www.independent.co.uk/news/world/americas/dea-surveillance-hidden-cameras-federal-law-enforcement-b2828606.html

Not sure how factual it is when it says,

“DEA – which has recently diverted agents from their usual drug-fighting mandate to assist Immigration and Customs Enforcement in carrying out President Donald Trump’s mass deportation efforts – is outfitting agents, presumably undercover, with audio-video recorders camouflaged to look like everyday credit cards.”

Whilst I can understand the shift of DEA agents from a task they have little hope of succeeding at. Moving them instead to a “Moronic Presidential pet project” that is guaranteed to fail strikes me as a considerable waste of, if not actual misuse of Federal Tax Payer Resources.

But that argument aside it’s the “audio-video recorders” disguised to look like Standard Credit cards, that has me being “curious”.

Apparently a “Request for tender” has already been put out,

“Covert audio/video devices must match the form factor of a United States credit card and other common form factors of that size and be able to accept a printed overlay that is detailed enough to be able to pass a close visual inspection,” states a summary of the September 12 purchase order. “The card must be able to be disguised by printing of specific art-work directly on to the card. Physical Dimensions can be no more than 85 x 54 x 1.5 mm, 34 x 2 x 0.05 inches Weight < 5 g.”"

The problem is not the RF and control circuitry, that can already be done and similar slim devices are available commercially. However what is an issue is,

1, The Optics
2, The power source.

Whilst it is possible using Fresnel techniques to make a very thin lense. The use of a lense depends on it’s optical area, and the related focal depth…

Even though batteries now look like they have “amazing capacity” the reality is the power density is not good so the volume has to be high…

This is due to the construction method, which results in the fact the volume also has to be fairly thick. That is they are generally made almost like electrolytic capacitors thus are in effect “rolled up”.

Any way, there is the old engineering motto in the US of,

“People in management will promise anything if the money is right, sometimes they might even be able to get a deliver together…”

Something the likes of Microsoft has done for nearly all of it’s existence with software eventually long after due dates…

However with hardware “practical reality” is based around the Laws of Nature, and they are not so easy to coerce.

Clive Robinson • September 21, 2025 7:11 PM

@ ALL,

Will the Financial crisis AI will create destroy the US?

I’ve mentioned before a couple of things,

1, The Financial Crisis happened because everybody did the same thing…
2, The money now supposedly invested in AI is actually larger than the US economy.

And I keep mentioning Current AI LLM and ML Systems are a bust. The reality is they don’t scale and will not become of use in any useful way that will cover the water bill let alone the energy bill…

However they are all that is providing churn in the otherwise moribund US economy.

I am not the only one to point out such things as I’ve mentioned before.

Oh and that nonsense with Oracle a few days back, talk about hype beyond the bubble… Folks get an envelope and do a few calculations on the back… Seriously the maths can not balance, unless hyperinflation on a scale never seen before happens.

But others have different perspectives on this disaster to come,

https://futurism.com/ai-economy-industry-hype

Titled,

“If the AI Industry Fails, It Could Take the Rest of Us Down With It”

Is kind of trying to say the same thing in a more gentle way by looking at just the “AI infrastructure” aspect,

“Don’t let AI critics tell you it’s good for nothing: the amount of money being spent on AI infrastructure is so enormous that it’s literally propping up the US economy.

The drawback, of course, is that if the AI industry fails, it could drag the rest of the economy down with it.”

So that’s “The opener”, and it’s followed by some information you can verify to substantiate part of it,

“Though Meta, Amazon, Microsoft, Google, and Tesla are expected to have spent some $560 billion on AI development by the beginning of next year, their collective revenue from AI comes in at a paltry $35 billion. In the first half of 2025, the Atlantic notes, business spending on AI added more to GDP growth in the United States than all consumer spending combined.
“

So 16 times the spend over income and no way to close the gap. Then there is also the issue of “No Product” that delivers on the promises and barely works even in the simplest cases in a reliable or cost effective way.

Does this look like a wise or even safe investment to be involved with. No of course not it’s worse than the “Burn Rate” nonsense that caused the hype bubble that led to the “Dot Com bubble burst”.

Which set the US up so that it’s been said the only thing that kept the US Economy going was,

“The economic churn caused by the drugs trade money laundering.”

Perhaps people should get ahead of the inevitable and diversify into “useful metals” or something people have to pay for or die (What in 1943 did Maslow put as the base foundation of his human “hierarchy of needs”, air, water, food…).

I’m not sure if this will play out quickly or if it will be the US only hit as hard as the figures indicate…

But it has been pointed out in the past the way as a nation to buy yourself out of economic collapse is “To start a major if not global war”… Not that history really supports this.

Clive Robinson • September 22, 2025 12:42 PM

@ ALL,

Is unknotting chaotic or not?

It’s a question that’s been puzzling mathematicians, physists and others for some time now (it has applicability in many knowledge domains).

The hope was it’s not chaotic. That is when you join the “free ends” the knot obviously forms a single loop, but it also has “twists and half hitches/crosses” that make the actual knot from the loop and the basic number of crosses remains. This basic number defines the knot type.

Now consider instead you join the free ends of two entirely separate knots to make a compound knot, what happens?

That is you get another single loop, but do you get more or less twists and half hitches in the resulting knot?

The expectation is the number of basic crosses is additive.

It’s not hard to see that “unknotting one knot actually creates another knot. It’s why the reef/square, granny, or thief knot unties to it’s self again endlessly. But the complexity of some knots can change. So obviously there is things we do not know…

Well a paper a little while ago unfortunately demonstrates things are rather definitely more complex than was hoped and the result is not what most wanted…

https://www.quantamagazine.org/a-simple-way-to-measure-knots-has-come-unraveled-20250922/

For those that think “so what” it has implications in complexity and information security.

Clive Robinson • September 22, 2025 7:45 PM

@ Grima Squeakersen,

With regards your question of

“Do you regard either of those as meeting your objective to any significant extent?”

Neither, in fact I’m not sure any would pass these days.

Two reasons,

Firstly as you note,

“… the weakness I do see is that the challenges are limited and repetitive”

The simple fact is that we’ve got to the point with human2computer challenges, computers are such that they can do a dose of AI ML and fairly quickly they will outperform the humans after just seeing one or two solutions. You just can not have a sufficient level of variety with humans because there will always be a sufficient number of people that can not remember a 4 Digit PIN let alone do a new challenge…

Secondly is the issue of,

“Is the Turing test even valid?”

Mostly the challenges are a computer doing a negative Turing Test on an entity that alleges that it’s human.

Current AI LLMs can now after going through tens or hundreds of thousands of human responses can “Fake it well”. Enough that another computer can not discriminate.

Back at the turn of the century I failed miserably with capatchas as a way to reduce human cognitive load whilst increasing machine load such that a human did not have to type in a 25 or more totally random character without mistake… It turned out that back then in China you could get a human to solve a forwarded capatcha challenge for less than 30Cents… Since then computers can solve them for less than a couple of cents…

The result is that challenges are nowhere near upto the job these days. So we have to think of a new way to do things that favour humans not computers and I suspect we are now well beyond that tipping point.

Clive Robinson • September 26, 2025 7:57 PM

@ ResearcherZero,

With regards,

“Child Care Centers, schools, sports clubs and other organizations are supposed to perform background checks, refer incidents for investigation and stand down known offenders where a credible complaint exists. Something which often fails occur and is often followed by a lack of prosecution…”

This near did not happen prosecution one did for once end with an 8 year prison sentence. But we are left with the big reason such things often don’t get to court,

“Some people just do these things and we may never find out why.”

Thus there is a credibility gap that can not be sold to people. Because most people expect things to make sense to them…

What many don’t often realise consciously is that court cases in front of juries are a form of dramatic theatre. Both the prosecution and defence have to “sell a story” to the jury about the defendant. And without a convincing or credible story it might not even be worth the time and cost of going to trial… And why many trials are on way lesser charges than the defendants actions might indicate.

But as you note this “happens all the time” action by authorities is also used as a way to manipulate justice politically etc.

In this particular case even though the prosecution had video of the persons behaviour, it very nearly did not go to trial because “selling it” was going to be an uphill issue (defendant young, cute, blond, etc as you can see from online photos and lots of issues with another recent trial).

As this Police Report hints at,

https://news.met.police.uk/news/nursery-worker-jailed-for-child-abuse-following-met-police-investigation-501504

I delayed mentioning this just finished case to you, because in the UK at the moment having a “foreign sounding name” is being used by others “as justification” to sort of behave in similar abusive ways or incite such behaviours in others…