Search Results for "october 29"

The story of RSS is simple and yet combative. In fact RSS’s success may hinge on one man’s idealistic dedication to his principles. Tom takes you through the history of RSS.

Featuring Tom Merritt.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

You probably use an RSS feed. In fact if you got this episode as a podcast you definitely used an RSS feed. Most people these days don’t even know they’re there. The story of RSS is simple and yet combative. In fact RSS’s success may hinge on one man’s idealistic dedication to his principles. If you’ve ever thought “why are people making this so complicated?” If you’ve ever wondered what it would be like to be a person who just shut everyone up with an action that for right or wrong would stand the test of time. Get ready to Know a Little More about RSS.

People say RSS stands for Really Simple Syndication though it really doesn’t. That’s one of the charms of the story of RSS. Throughout its formative years nobody could agree on much and the name is still a matter of debate to this day.
If you’ve heard of RSS at all, it was most likely in connection with Podcasts. Podcasts are delivered through RSS feeds to the apps and platforms where you can listen to them. Behind every Apple Podcast, Google Podcast, Audible Podcast and even most Spotify podcasts, there’s a simple RSS feed. You may also use RSS as a feed for headlines. If you use Feedly, NewsBlur or Inoreader or something like that you’re using RSS.
But where did RSS come from? Oh my friends. Be prepared for a tale of idealism, abandonment, betrayal and perseverance. It is the tale of RSS.
In the earliest days if you wanted to know if a website had been updated you had to visit it. As websites became more common this became a chore. So people experimented with ways to let you know when a website had been updated, without you having to go there. One of the earliest attempts at this was the Meta Content Framework or MCF, developed in 1995 in Apple’s Advanced Technology Group.
Ramanathan V. Guha was part of that group and a few years later, he moved over to browser-maker Netscape, where he and Dan Libby kept working on these sorts ideas. Guha particularly liked developing Resource Description Frameworks, or RDFs, similar to the old MCF he worked on at Apple. They were complex ways to show all kinds of things about web pages without having to visit them.
But Netscape’s team was of Guha, Libby and friends was not alone. And early on they weren’t he most likely to succeed. The Information and Content Exchange standard, or ICE, was proposed in January 1998, by Firefly Networks — an early web community company– and Vignette- a web publishing tool maker. They got some big names to back ICE too. Microsoft, Adobe, Sun, CNET, National Semiconductor, Tribune Media Services, Ziff Davis and Reuters, were among the ICE authoring group. But it wasn’t open source. In those days respectable tech companies like those I just named, still cast a skeptical eye on open source code. How were you supposed to make money on it? Who would keep working on it if they weren’t paid? So the members of the ICE authoring group paid people to develop it. And in the end that meant it developed slower than competing standards.
Interestingly, ICE’s failure caused Microsoft to get a little more open, a little earlier than you might expect. In 1997 Microsoft and Pointcast created the Channel Definition Format, or CDF. They released it on March 8, 1997 and in order not to fall under the death by slow development that ICE seemed to, they submitted it as as standard to the W3C the next day.
It was adopted quickly and in fact its success planted the seed of its successor. Dave Winer had founded a software company in 1988 called UserLand. UserLand added support for CDF on April 14, 1997 one month after its release. Winer also began publishing his weblog, Scripting News in CDF. But CDF, like ICE, was more complicated than a smaller site needed. So on December 27, 1997, Winer began to publish Scripting News in his own scriptingNews feed format as well. He just simplified CDF for his own needs and made that available for anyone who wanted to use it to subscribe.
Meanwhile Libby had been working away at his own version of a feed platform and Netscape was about to make a big launch that would cause his project to surpass them all. On July 28, 1998, Netscape launched My Netscape Portal, This was one of the earliest Web Portals. A place that aggregated links from sites around the Web. You could add sites you wanted to follow, like CNET or ZDNet and then see their latest posts all in one place.
Netscape kept the links updated with a set of tools developed by Libby. He had taken a part of an RDF parsing system that his friend Guha had developed for the Netscape 5 browser, and turned it into a feed parsing system for My Netscape. He called it Open-SPF at the time, for Site Preview Format.
Open-SPF let anyone format content that could then be added to My Netscape. It was rich like CDF, open like CDF but had one advantage over CDF. It worked on My Netscape, which suddenly everyone wanted to be on.
Netscape provided it for free because that meant the company didn’t have to spend time reaching deals for content. You want your content on My Netscape, use Open-SPF, it can be there. That meant there was more content available for My Netscape than was usual on curated pages. The content was free for both the users and Netscape. More content meant more users and more users meant Netscape could serve more ads. And content providers were willing to create the Open-SPF feeds, because they weren’t burdensome to create and the sites got more visitors who saw their content on My Netscape and clicked on links to come to their sites.
Sound familiar? This arrangement is the one Google still tries to rely on for Google News. Except the news publishers have changed tunes. Back then they were all about bringing visitors to their websites and happy that Netscape sent folks their way for free.. But as the years have passed and revenue has shrunk, now they’re more about getting Google to pay them for linking to their news.
Anyway back to the rise of Netscape.
1999 is not only the end of the millennium. It’s not only when everyone actually got to party the way Prince had been asking them to pretend to party. 1999 was a huge year for RSS. It was about to reach its modern form and become something users of RSS today would recognise. By name.
On Feb. 1, 1999 Open-SPF was released as an Engineering Vision Statement for folks to comment on and help improve.
Dave Winer commented that he would love to add Scripting News to My Netscape but he didn’t have time to learn Netscape’s Open-SPF. However because he had his own self-made feed format using XML he’d “be happy to support Netscape and others in writing syndicators of that content flow. No royalty necessary. It would be easy to have a search engine feed off this flow of links and comments. There are starting to be a bunch of weblogs, wouldn’t it be interesting if we could agree on an XML format between us?”
However by Feb. 22, Scripting News was publishing in Open-SPF and available at My Netscape. Feeling like it was a success, Libby changed the name of Open-SPF to refer to the fact that it used RDF, calling it the RDF-SPF format and released specs for RDF-SPF 0.9 on March 1. Shortly after release he changed the unwieldy name to RDF Site Summary, or RSS for short. Thus begins the first in a parade of meanings for RSS
And the new name took off. Carmen’s Headline Viewer came out on April 25th as the first RSS desktop aggregator and Winer’s my.UserLand.com followed on June 10th as a web-based aggregator.
Folks liked the idea obviously, but a lot of RSS enthusiasts thought the RDF was too complex, Dave Winer among them. Libby hadn’t ignored Winer’s earlier offer either. In fact, Libby thought they weren’t really using RDF for any useful purpose. So he simplified the format adding some elements from Winer’s scriptingNews, and removing RDF so it would validate as XML. This was released on July 10, 1999 as RSS 0.91.
Some folks write that the name changed to Rich Site Summary at that point but Winer wrote at the time “There is no consensus on what RSS stands for, so it’s not an acronym, it’s a name. Later versions of this spec may say it’s an acronym, and hopefully this won’t break too many applications.”
Anyway by 1999, like Toy Story, RSS is on a roll. Libby is bringing in feedback from the community and creating a workable usable standard that is reaching heights of popularity beyond just the confines of My Netscape.
Like some kind of VH1 Behind the Music story, as it reach that’s height, everything fell apart.
Netscape would never release a new version of RSS again.
In the absence of Netscape’s influence, two competing camps arose.
Rael Dornfest wanted to add new features, possibly as modules. That would mean adding more complex XML and possibly bringing back RDF.
Dave Winer preached simplicity. You could learn HTML at the time by just viewing the source code of a web page. Winer wanted the same for RSS.
On August 14, 2000, the RSS 1.0 mailing list became the battleground for the war of words between the two camps.
Dornfest’s group started the RSS-DEV Working Group. It included RDF expert Guha as well as future Reddit co-founder Aaron Swartz. They added back support for RDF as well as including XML Namespaces. On December 6, 2000 they released RSS-1.0. and renamed RSS back to RDF Site Summary.
Not to be left behind, two weeks later On December 25, 2000, Winer’s camp released RSS 0.92.
Folks, grab your steaks knives. We have a fork.
In earlier days, Libby, or someone at Netscape, would have stepped in. In But AOL had bought Netscape in 1998 and had been de-empahasizing My Netscape. They wanted people on AOL.com. And if they didn’t care about Netscape, they cared even less about RSS. In fact they actively did things that could have ended RSS. In April 2001, AOL closed My Netscape and disbanded the RSS team, going so far as to pull the RSS 0.91 document offline. That document was used by every RSS parser to validate the feeds. Suddenly all RSS feeds stopped validating. Apparently this had little effect on visitors to AOL.com or people dialing in to their internet connection, so AOL just let them stay broken. With the RSS team gone and AOL doing nothing, RSS feeds were looking dead in the water.
But the RSS 0.91 document was just a document after all. And there were copies. Anybody theoretically could host it as long as everyone else changed their feeds to validate to the new address. Dave Winer stepped up.
Winer’s UserLand stepped in and published a copy of the document on Scripting.com so that feed readers could validate. That right there won Winer a lot of good will.
An uneasy truce followed. Whether you were using Netscape’s old RSS 0.91, Winer’s new RSS 0.92 or the RDF Development Group’s RSS 1.0 they would all validate.
By the summer of 2002, things are going OK and tempers have cooled. Nelly has a hit song advising folks what to do if things get hot in here. Maybe we can solve this? Let’s try to merge all three versions into one new version we can all agree on and call it RSS 2.0. right?
Except they couldn’t agree. Winer still wanted simplicity. RDF folks still wanted RDF and the fun features it would bring. They would agree to a simplified version of RDF but they still wanted it. To make matters more confusing, Winer was discussing what should happen by blog, with everyone pointing to their own blogs. The RDF folks were talking about it on the rss-dev mailing list.
Communication, oddly in a discussion about a communication platform, was the problem. Since neither side was seeing each other’s arguments they never came to an agreement. So Winer’s group decided not to wait. On September 16, 2002, UserLand released their own spec and just went and called it RSS 2.0. AND Winer declared RSS 2.0 frozen. No more changes.
Discussions continued on the RSS-dev list but Winer’s camp got another victory when in November 2002, the New York Times adopted RSS 2.0. That caused a lot of other publications to follow suit. Further consolidating the position.
The next year in another move fending off the debate, on July 15, 2003, Winer and UserLand assigned ownership of RSS 2.0 copyright to Harvard’s Berkman Center for the Internet & Society. A three-person RSS Advisory board was founded to maintain the spec in cooperation with the Berkman Center which continued the policy of considering RSS frozen. Mic. Dropped.
There was still a resistance. IBM developer Sam Ruby set up a wiki for some of the old RDF folks, and others, to discuss a new syndication format to address shortcomings in RSS and possibly replace Blogger and LiveJournal’s protocols. The Atom syndication format was born of this process and was proposed as an internet official protocol standard in December 2005. Atom has a few more capabilities and is more standard compliant, being an official IETF Internet standard, which RSS is not. But in practice they’re pretty similar. Atom’s last update was October 2007 but it is still widely supported alongside RSS.
And RSS 2.0 kept going. In 2004 its abilities to do enclosures, basically point to a file that could be delivered along with text, led to the rise of Podcasts. Basically RSS feeds that pointed to MP3 files.
In 2005, Safari, Internet Explorer, and Firefox all began incorporating RSS into their browser’s functions. Mozilla’s Stephen Hollander had created the Web Feed icon, the little orange block with a symbol like the WiFi symbol at an angle. It was used in Firefox’s implementation of RSS support, and eventually Microsoft and Opera used it too. It was also used for Atom feeds. Stephen Hollander did what most could not. Get people interested in providing automated Web feeds to agree on something.
And in 2006, with Dave Winer’s participation, RSS Advisory Board chairman Rogers Cadenhead relaunched the body, adding 8 new members to the group in order to continue development of RSS.
Peace in the form of an orange square was achieved.
OK. So RSS has a colorful history. What the heck does it do?
That part is pretty simple. It’s a standard for writing out a description of stuff so that it’s easy for software to read and display it.
Basically you have the channel (or Feed in Atom) and Items (or entries in Atom).
RSS 2.0 requires the channel to have three elements, the rest are optional. So to have a proper feed you need a title for your channel, a description of what it is and a link to the source of the channel’s items.
Like Daily Tech News Show – A show about tech news. And a link to dailytechnewsshow.com
Optional elements of RSS are things like an image, publication date, copyright notice, and even more instructions like how long to go between checking for new content and days and times to skip checking.
The items are the stuff in the feed. There are no required elements of an item, except that it can’t be empty. It has to have at least one thing in it. So an item could just have a title or just have a link. However most of the time an item has a title, a link and a description. The description can be a summary or the whole post. Other elements of the item include author, category, comments, publication date and of course enclosure.
So for our Daily Tech News Show example title might be Episode 5634 – AI Wins, the description might be “Tom and Sarah talk about how AI just won and took over everything.” And the link to the post for that episode.
The enclosure element lets the item point to a file to be loaded. The most common use for the enclosure tag is to include an audio or video file to be delivered as a podcast.
For Daily Tech News Show that would be a link to the MP3 file.
In the end an RSS reader or a podcast player looks at an RSS feed the way your browser looks at a web page. It sees all the titles, links descriptions and possible enclosures, and then loads them up and displays them for you.
After a rather stormy opening decade, RSS has settled down into a reliable and with apologies to team RDF, simple way of syndicating info. Really Simple Syndication indeed.
Like podcasting which it provides the underpinnings to, RSS has been declared dead several times. But it just keeps on enduring. I hope you have a little appreciation for that tiny file that delivers you headlines and shows now. In other words, I hope you know a little more about RSS.

Ready for a passwordless life? Tom explains how Passkey will get us there and why it’s coming sooner than you think and later than you’d like.

Featuring Tom Merritt.

About the FIDO Alliance.
About Public Key Cryptography.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Episode transcript:

I just figured out passwords and now they’re switching to passkeys!
And supposedly you just tap a thing on your phone and you’re in?
How is that even secure?
Confused? Don’t be.
Let’s help you know a little more about passkeys.

Passkeys are the hope for our passwordless future. They’re based on FIDO 2 from the FIDO Alliance.
FIDO stands for Fast Identity Online and the alliance includes Amazon, Apple, Google, Meta, Microsoft, Samsung, Intel, Qualcomm PayPal, Wells Fargo, US Bank, Visa 1Password, LastPass, RSA. the list is rather long but I think that gives you the flavor. It’s big tech companies, security provider’s chip makers and banks.
The FIDO alliance develops FIDO 2 as an open standard in cooperation with the World Wide Web Consortium or W3C.
I did an entire episode on FIDO 2, which aims to increase authentication security, but here’s the short version. FIDO 2 gives you single multi factor, meaning it doesn’t require a password. FIDO 2 is probably most familiar to folks in corporate enterprises that use things like Yubico’s Yubikeys. They’re the little USB dongles you insert or tap to provide a second factor.
Many of you may NOT be familiar with those and that’s the reason FIDO 2 hasn’t spread faster. As much as it would be great if everyone bought something like a Yubikey, most people just aren’t going to do that. And until you get most people to do it, sites aren’t going to want to pay developers to redo their authentication system.
That’s why you see it in a corporations right? The company CISO just makes everybody use the yubikey to log in. The devs have to implement it because every employee int he company is going to sue it. Also because the CISO told them to do it.
In the wider world you need a diverse array of websites and device manufacturers to support it AND a bunch of consumers who adopt it. And consumers won’t adopt something unless it’s easy.
So we’ve been in this holding pattern for awhile, waiting for adoption by devs who are waiting for adoption by consumers who are waiting for easy implementation which requires adoption by devs and now I’m dizzy.
But passkey seems about to get us off this merry-go-round. Because passkey is designed to be easy while also being secure.
Passkey is an implementation of FIDO 2, but instead of making you get another thing, like a USB key, it uses the devices you already have. They sort of turn your device into the yubikey.
Here’s how creating a passkey works.
Let’s say you have an iPhone and you’re using Chrome. You go to a website, let’s say passkeys.io. It probably will ask you for an email address. The email address is not necessary for passkey to work. So you can go ahead and give it a fake one or a spam one if you want. However the email address is likely going to be used for account recovery in case you lose the phone that has all your passkeys. So you might want to use a working email address.
After you enter the email address, you press “Set up passkey.” It then prompts you to use with whatever you use to protect your devices overall security. It could be FaceID, could be a fingerprint scanner. Maybe it’s a nice complex PIN. Let’s say it’s a fingerprint scan. Press your finger on the fingerprint scanner on your device and you’re in. That’s it. You just created a secure account.
Yep! WAY easier than enter a password twice, oh you don’t have enough character oh you didn’t use special characters. None of that. No adding it to the password manager. Email address. Create passkey. Fingerprint scan. Done. In the background your OS has stood the passkey securely and may be syncing it with other devices.
And you gave precious little to the company you created the passkey for! It knows whatever email you gave them and has created a token to match with your passkey in the future. It has NOT stored your passkey. An attacker cannot steal your password from the company because the company doesn’t have it.
The next time you go back to sign in on that same iPhone, you’ll just choose “Sign in with passkey,” swipe your fingerprint and you’ll be signed in.
But ah you say. What if I want to sign in on my Windows machine using the Edge browser?
Go to passkeys.io on Edge and select sign in with passkeys. Your passkey isn’t on that device so it gives you the option of using a QR code. Scan the QR code with your phone and the synced passkey tells the website that it’s you and logs you in on the Edge browser.
In the future once support is fully implemented it will get easier. Bluetooth LE from Windows can directly notify your iOS or Android phone of the login request through an encrypted tunnel. You see that notification on your phone. So you pick up your phone and unlock it.
OK so what happens if you lose your phone? One hedge against that is if you have multiple devices. You can store your passkeys on a laptop and a phone. Apple, Microsoft and Google provide end-to-end encrypted syncing of passkeys across devices. But there’s also good old account recovery by email which is why you want to give a working email along with your password. Right now account recovery is so much more secure than passwords that some sites only log you in by sending you an email. Keeping your email account secure is quite important of course and will continue to be so. And it will be important to have multiple ways to securely log in to your email. So you’ll want passkeys on more than one device.
In a world of passkeys you’ll need multiple ways of getting to your email of course, but also you’re device security becomes paramount. Unlocking a laptop or phone will serve the same step as entering a password used to. This will take some education for people who use insecure passwords on their devices. However, to steal passkeys will still require physical access which is much more secure than passwords are now. Still, best practice is to make sure you have a sufficiently complex PIN backing up face or fingerprint.
Is this really more secure? The full details are in our episode on FIDO 2 but think of it this way.
Right now, you might try to be secure by using a password manager to create a long complex password and store it in an encrypted vault. You then use another long complex password to unlock the vault and access the password for a website and enter it there. Then if you are using MFA you open an app generating codes and type a code in separately. Every one of those steps is phishable. Somebody could be tricking you into entering the password or the MFA code into the wrong box at the wrong time. It can happen to the most careful among us.
With Passkey, unlocking your device replaces unlocking your password manager. Except the password is an encrypted key much more complex than any your password generator would generate, and is automatically sent directly to the site requesting it. That site combines it with its token to validate it’s the right account and authenticate you. (See our episode on Public Key Cryptography to understand how this works securely)
Since during that process, you didn’t have to type anything anywhere there’s no chance it gets typed into the wrong place. Since only the site you’re trying to log into can make use of that key, there’s no risk of sending your passkey to the wrong location. To intercept the key and try to use it to pretend to be someone would require breaking some incredibly strong encryption. And there is no password stored by the site! So there is no password database to breach.
So where can you use passkeys?
Many browsers support it including Chrome on ChromeOS, Windows and macOS, Microsoft Edge on Windows and macOS and Safari on MacOS.
Apple started supporting passkeys in iOS 16, iPadOS 16 and macOS Ventura
Google supports passkeys in Android as of October 2022 and ChromeOS in beta with full support in 2023.
Windows will support passkey in 2023.
Passkeys are supported by PayPal, eBay, WordPress and a growing list of websites.
And here’s where a lot of folks see downside. In pursuit of the mass market of consumers passkey does leave folks out. If you’re on Linux you can use Fido 2 like a yubikey but you may not be able to use passkey, without also using a Mac, iOS, Android or Windows device.
That may make you upset and I get it. Passkey is meant to be the mass market version of FIDO 2 so it runs on the mass market platforms. Thankfully FIDO 2 is an open standard so passkey can be extended to other platforms, it’s just going to take someone doing the work.
But remember that even if you’re using the mass market platforms the keys are always stored locally. Their cloud services are used for sync not storage and are end-to-end encrypted. That may or may not make you feel better but it’s not as egregious as managing the keys for you.
So can we ditch passwords? Not yet.
By the end of 2023 all the operating systems will fully support it along with the major browsers and more websites will as well. At that point users will need to update their operating systems and start learning what passkey is and decide if they trust it. But we’re close. Within a couple of years we should start seeing passkeys become common and passwords less so.
In other words, I hope you know a little more about passkey.

Tom explores the history, usage, and possible dangers of QR Codes.

Featuring Tom Merritt.

MP3

Please SUBSCRIBE HERE.

A special thanks to all our supporters–without you, none of this would be possible.

Thanks to Kevin MacLeod of Incompetech.com for the theme music.

Thanks to Garrett Weinzierl for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Transcript:

I went to a restaurant and they said their menu was a little box full of boxes.
How am I supposed to read that.?
Someone said point my phone at it?
Confused?
Don’t be, let’s help you Know A Little More about QR Codes.

The “QR” in QR code stands for Quick Response code. It was invented by Masahiro Hara of the Denso Wave subsidiary of Japan’s Denso automotive parts company in 1994. He was inspired by the black and white patterns created when playing the game Go. The original application of the QR code was to identify parts in auto manufacturing at high speed.
The QR code is a type of 2D or matrix barcode, as opposed to the widespread UPC bar code you see a lot of, which is considered a 1D bar code. A 1D bar code is read in one dimension. So with UPC a laser horizontally the series of varying widths of black and white bars. Whereas a 2D barcode is read vertically and horizontally and uses rectangles, dots, hexagons and other patterns.
The big advantage of a 2D bar code is it can hold more information and deliver it quicker than a 1D bar code.
A QR code uses black squares called data modules arranged in a square grid on a white background. The background should extend outside the square in what’s called a “quiet zone” to make it easy to detect what’s actually part of the QR code’s matrix. You can encode four standard types of input data or “encoding modes:” numeric, alphanumeric, byte/binary and kanji.
The maximum amount of information you can encode depends on which of these inputs you’re using as well as your level of error correction and the dimensions of the grid. Grid dimensions are described by a level number from 1- 40. With level 1 having 21 by 21 data modules and each level adding 4 until you get level 40 with 177 x 177 data modules.
Maximum capacity can be found with the 40-L numeric encoding which encodes just numbers at the maximum dimensions of the grid with the lowest error correction. It can hold 7089 characters. The Alphanumeric version of the same thing holds 4,296 characters. Most QR codes you see in everyday life are around versions 2-5 and usually hold between 20 to 100 characters, enough for a shortened URL.
Because a QR code is two dimensional you need an image sensor to detect it. Since almost every phone now has a camera, the phone has become the most familiar way QR codes are scanned.
A Reed-Solomon error correction process is used to interpret the pattern. Reed-Solomon is also used in CDs, Blu-ray Discs, DSL and RAID 6. In QR codes there are four levels of error correction L is the lowest restoring approximately 7% of data, M is the middle at 15%, Q is the next up at 25% and H is the highest at 30%. This is going to offend statisticians and data professionals but you can roughly think of it as if up to 7% of the data is damaged the L error correction will still let you read the data. In practice most QR codes seem to use M. I guess they assume if more than 15% of that sticker is damaged you might as well get a new menu sticker.
But let’s get into how that pattern of blocks gets turned into your restaurant menu or wifi password or name of a conference room or whatever. The whole QR code is made up of just those blocks, called data modules, either black squares or empty white spaces.
You might have noticed there are always three distinctive larger squares in the corners of a QR code, Those are position markers. They are used along with a smaller square or set of squares in the fourth corner to calibrate the size, orientation and angle in which the pattern is being viewed.
Now your QR code reader, likely your phone’s camera, knows where the code is and can adjust for how big it looks in your camera. It can even do these adjustments on the fly as your unsteady hand wavers over the restaurant table.
Next it needs to know some things about what kind of encoding and error corrections and such were used. This way it can interpret the data correctly.
The mode indicator is placed in the bottom right indicating the input type. Other format information like error correction quality and character count is placed near the three squares. These are done as a sequence of 4 bit indicators.
That stuff is always the same and lets the reader know whether to look for numbers, alphabets kanji whatever and how much will be redundant error correction code
Now it’s time to read the whole point of this exercise. The data. The thing. The link to the menu. The kind of auto part this is. The WiFi Password!
In the space remaining after the position markers and format data, the encoded data is placed from right to left in a zigzag pattern until it reaches an end indicator. The amount of bits used for your data varies by the type of input. So numbers can get 3 digits into 10 bits, alphanumeric gets 2 characters into 11 bits and so on. You can even switch encoding types if you need to. Just throw in another 4-bit indicator.
You often need to mix input types because alphanumeric can only do capital case and 8 punctuation marks. So to do anything beyond that you need to use bytes which takes up more bits.
And that’s it, once the reader has interpreted all that it has the data and then the reader goes from there whether that’s showing you a URl you can tap or a wiFi password you can enter or the name “brake pad.”
You may wonder who keeps track of how that all works so that every reader works with every QR code.
QR codes have been standardized multiple times over the years. The first time was in October 1997 issued by the Association for Automatic Identification and Mobility, followed by one in January 1999 from JIS or Japanese Industrial Standards. And then the heavy, the International Standards Organization, or ISO issued its first standard in June 2000 and most recently updated it on February 1st, 2015.
Denso freely licenses QR code tech as long as users follow either the JIS or ISO standards. While Denso holds patents on the technology, it waived its rights for standardized codes and its patents in the US and Japan have already expired.
Denso does still hold the trademark on the name QR code and maintains some proprietary, non-standard implementations. But the ones you mostly see are standards-compliant.
You probably figured this out but QR codes are static. Once they’re printed, they don’t change. Even if you made an animated GIF of a QR code, the reader would just keep trying to show you the latest one. Once you make a QR code it’s meant to stay that way. Which makes them great for permanent information, which is why they were very good at parts identification. This is a shock absorber and we have very little expectation it will suddenly become a brake pad so we can slap a QR code on it so the assembly robots know what it is.
However at some point folks had the bright idea to encode URLs into QR codes. Why not? URL’s are just alphanumeric strings after all. Now, the URLs are still static. But any URL can be made to point to a different thing over time by redirecting it. Knowalittlemore.com for instance points to the ACast site where the podcast lives. I could change that to point to the daily tech news show blog posts about the show instead, if I wanted. So URLs sort of bring in the idea of a dynamic QR code, and so some people refer to static vs. dynamic QR codes. Let’s be clear, they’re all static. So when someone says a QR code is dynamic, it just means it has a URL. The code itself isn’t actually dynamic. But it points to a URL that you know you can redirect to different things. This is helpful for say, a restaurant that changes its menu.
It is also helpful for malicious types who want to do crimes and other malicious behavior.
As I think is clear by now, QR codes themselves are not risky as they only hold static data. QR code readers when working properly would prevent unauthorized executions of that data and there’s not a lot of leeway to make a very capable executable anyway. So the bigger worry is the URL. The practice of encoding URLs in QR codes is widespread, dare we speculate it is the norm, and that means the same risks that come in clicking any URL anywhere come with QR codes. One weakness could be a third party QR code reader that let its permission down a little. But even the most buttoned-down from the OS manufacturer built into the camera app QR code reader –can just take you to a malicious site like any email text message or link on the web.
As such you should only scan QR codes if you’re certain of the source. QR code stickers out in the world might be legitimate or might have been stuck there by someone malicious, possibly over the legitimate code. This doesn’t mean you should never scan a QR code in public but use secure QR code readers and look carefully at the link you’re being sent to before tapping it.
Some malicious links can look to you like they operate normally while engaging in malicious behavior like accessing your browser history or sending text messages without your knowledge.
It’s also good to doublecheck the URL after you tap to make sure it took you where you expected to go. Don’t just look at the graphics or the site layout, those can be faked. And resist the urge to log in, pay for something or download an app from a QR code link. Those are all popular scam vectors. There are legitimate times to use QR codes for that, but you need to be very sure about the legitimacy of the code before you do any of those.
And finally keep in mind that while the actual scanning of a QR code leaks no data, using a QR code to go to a website exposes all the same kinds of data as any visit to a website. Like your IP address, kind of browser and device, etc. This is no worse than browsing the web mind you, but something to keep in mind.
Finally , there are a few variations on the QR code you may encounter.
The Micro QR code holds a very small amount of info but doesn’t take up space so it’s often used on small items. It only has one positioning square in the upper left corner.
Denso Wave has a proprietary version called the IQR code that can be square or rectangular. It works well on cylindrical objects and holds more information than the standard QR Code.
And Frame QR codes take advantage of the error correction process to allow for a canvas area that can be used for logos, graphics etc.
QR codes are just bug dumb links in the world made of squares. Treat them like any big dumb link you’d find anywhere.
In other words, I hope you know a little more about QR codes.

Microsoft announced the free upgrade to Windows 11 will begin rolling out on October 5th, starting with new devices. Protocol’s Amber Burton has an article called ‘There aren’t enough data scientists’: How the future of reskilling in tech is changing. South Korea’s National Assembly passed an amendment on Tuesday prohibiting large app-store operators from requiring the use of their in-app purchasing systems.

Starring Tom Merritt, Sarah Lane, Lamarr Wilson, Roger Chang, Joe, Amos

MP3 Download

Follow us on Twitter Instgram YouTube and Twitch

Please SUBSCRIBE HERE.

Subscribe through Apple Podcasts.

A special thanks to all our supporters–without you, none of this would be possible.

If you are willing to support the show or to give as little as 10 cents a day on Patreon, Thank you!

Become a Patron!

Big thanks to Dan Lueders for the headlines music and Martin Bell for the opening theme!

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods Jack_Shid and KAPT_Kipper on the subreddit

Send to email to [email protected]

Show Notes
To read the show notes in a separate page click here!

Apple places Wistron on probation after an internal audit found the company violated its Supplier Code of Conduct, Microsoft is looking to develop its own ARM chips, and the operators of the supply-chain attack against SolarWinds had access since at least October 2019.

MP3

Please SUBSCRIBE HERE.

You can support Daily Tech Headlines directly here.

A special thanks to all our supporters–without you, none of this would be possible.

Big thanks to Dan Lueders for the theme music.

Big thanks to Mustafa A. from thepolarcat.com for the logo!

Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit

Send us email to [email protected]

Show Notes
To read the show notes in a separate page click here!