this post was submitted on 17 Jan 2024
340 points (92.7% liked)

The Onion

4515 readers
1647 users here now

The Onion

A place to share and discuss stories from The Onion, Clickhole, and other satire.

Great Satire Writing:

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 11 points 10 months ago (4 children)

I love people’s absolute moral outrage about scanning a QR code. The same folks crying bc they have to ask for a plastic straws or wear a smal piece of cloth on their face in the grocery store.

[–] [email protected] 50 points 10 months ago (2 children)

It’s a genuine security risk.

Menus aren’t killing the environment either.

[–] [email protected] 22 points 10 months ago* (last edited 10 months ago) (1 children)

Yeah, I get wanting to not reprint menus every time something changes, but there are ways to do that which are more convenient and accessible than "scan a QR code to go to a random website and pray you have working internet access and also the site is working and up to date." Y'know, like a damn menu board on the wall. Whiteboard/chalkboard even!

[–] [email protected] 5 points 10 months ago

This is my personal preference, a place I used to go a lot had a black board across one whole wall and the menu was hand written on it. The menu changed frequently and it was often full of flourish and creativity from some employee.

[–] [email protected] 6 points 10 months ago* (last edited 10 months ago) (1 children)

If you're using these links as restaurant menus as opposed to ordering platforms (this is how I use them, and how this post & other commenters seem to be presenting the concept) that's kind of limited to a risk of straight up being phished in a situation where you don't really have any reason to hand over your information.

In a pub/bar setting it's helpful to know what's available at the bar before I'm standing at it, especially if I'm buying a round. That is to say it generally lowers the bar to menu availability, not raise it. Because before the pub/bar would simply have no table menu and you'd figure out what you wanted by asking or looking at the taps

[–] [email protected] 12 points 10 months ago (1 children)

There are clickless exploits and other methods that don't require you to enter information, nevermind that nearly all of these menus have ordering and payment available through them and mimicking websites is fairly simple.

QR codes cannot be trusted just like links from unknown sources cannot be trusted.

[–] [email protected] -1 points 10 months ago (2 children)

I think you'll find there isn't an Android or iPhone on the market today vulnerable to SQL injection or XSS etc via scanning a QR code. You're talking about device vulnerabilities that get patched and it's equally possible to encounter these exploits with plaintext URLs

[–] [email protected] 5 points 10 months ago (1 children)

You’re talking about device vulnerabilities that get patched

Patching out zero days takes time.

it’s equally possible to encounter these exploits with plaintext URLs

Yes which is why I clearly stated that following URLs from any unknown sources carries risk.

The difference is that due to menus being a point of payment they have a greater incentive for abuse.

[–] [email protected] 7 points 10 months ago (2 children)

So we shouldn't use smartphone features if they could potentially have exploits? With this logic you shouldn't have a phone.

[–] [email protected] 1 points 10 months ago

no but QR is a shit bug/exploit riddled mess of a format

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago) (2 children)

We shouldn't replace perfectly good solutions with unreliable, cumbersome, insecure, annoying shitty tech just because.

[–] [email protected] 2 points 10 months ago (1 children)

Thinking that simply visiting a web site for a business you've already decided to patronize is dangerous is some serious boomer logic.

[–] [email protected] 1 points 10 months ago

If we only focus on the security part, how the do you know it's even their site you're visiting? Often those qr codes are just stickers on table, trivial to slap a new one there

But it also adds a lot of annoyance for customers who came to eat food, not doomscroll on their fucking mobile phone

[–] [email protected] 1 points 10 months ago* (last edited 10 months ago)

My whole point is that the perfectly good extant solutions are equally flawed. QR codes don't create a situation where e.g mimicing a website is easier. It is already easy. It is not any more difficult to mimic a website with a fake domain name purposefully named in plaintext in a way to deceive.

Literally the only difference is you are looking at letters, which you are confident in your ability to parse, with a code which you are not. A URL being short and easy to type doesn't make it less likely to be malicious.

The key thing to remember is that yours, my, everyone's assessment of perceived risk is very incomplete. Your specific comfort with plaintext is itself a potential attack vector. So an approach to privacy/security where you simply avoid all possible circumstances with any perceived risk attached to them is a shitty approach. Engaging with an acceptable risk level is the only way to teach yourself vigilance.

People recently started seeing QR codes everywhere and feel confronted by this new reality, that's natural. But the truth is that this is fear of QR codes is irrational where it is not reconciled with the perceived risk of generally using the internet and following links. There might be a difference in the physical characteristics of the link format, but in terms of computer security the difference doesn't matter.

Just because some commenters here remember seeing a CVE in 2016, or read about QRgen one time, doesn't mean QR code protocol is inherently vulnerable. It is in fact quite ridiculous to suggest that would be the case and all the manufacturers would continue to support it.

[–] [email protected] 3 points 10 months ago (1 children)

If the restaurant doesn't have a good enough reputation that I couldn't trust the QR they provided (which displays the URL so I can inspect it before launching the web browser), I also wouldn't want to trust my health to eating there.

It isn't like some random thing you found on the sidewalk.

[–] [email protected] 4 points 10 months ago

I'm pretty sure these are just an echo of the same concerns people put forward when URLs first started being included in signage, due to general privacy/security concerns with the internet. Somehow we got through it!

[–] [email protected] 29 points 10 months ago (1 children)

It is a privacy/security issue, not moral. A QR eatery will probably not accept cash either.

[–] [email protected] 2 points 10 months ago* (last edited 10 months ago) (2 children)

The issue is because it connects with a website right? I wonder if there could be a way to encode the text of the menu in the QR code itself

[–] [email protected] 4 points 10 months ago (1 children)

The QR code would be huge lol

[–] [email protected] 3 points 10 months ago

The largest can fit like 500-1k words, a restaurant menu could be less than that I think

[–] [email protected] 0 points 10 months ago* (last edited 10 months ago) (1 children)

Yes web site is the issue.

Cannot embed menu instead because the QR code is a URL.

[–] [email protected] 1 points 10 months ago (2 children)

Why does QR code have to be URL only

[–] [email protected] 3 points 10 months ago (1 children)

Mostly because otherwise you'd need an app that knows how to read and display the data

[–] [email protected] 1 points 10 months ago (1 children)

oh, I don't use my phone much, assumed they should be able to show some kind of plaintext from a QR code by default

[–] [email protected] 2 points 10 months ago

You can. I've encoded text in QR codes using both an android app and a desktop program.

[–] [email protected] 1 points 10 months ago (1 children)

The QR code would be so big you may as well just print a full menu instead. Here, for example, is a QR code containing the first two paragraphs of the US Declaration of Independence:

It would have to be much, much bigger if you want to include any pictures.

[–] [email protected] 0 points 10 months ago (1 children)

Still seems much better than linking to a website.

[–] [email protected] 1 points 10 months ago (1 children)

When it is that big you may as well print a conventional menu rather than QR code.

[–] [email protected] 2 points 10 months ago

Only if you're giving everyone a copy, could be a big central printout, screen or projector.

[–] [email protected] 21 points 10 months ago* (last edited 10 months ago) (1 children)

I dislike qr menus mostly cuz their websites suck and I often don't carry a phone.

Edit: Let me just add that as a coder my dream is to one day be hired for a really expensive and complex project and to give them a solution that only uses paper.

Paper menus are just full color e ink large foldable ipads that don't weight a thing and are cheap, and have a super accessible interface.

[–] [email protected] 7 points 10 months ago (1 children)

I've used exactly one QR coded menu that didn't suck. Every other one was some manner of infuriating, top method being "every item takes up 75%+ of your phone's screen and is all arranged vertically so it's impossible to compare two items without scrolling through 3-40 screens worth".

[–] [email protected] 3 points 10 months ago

That last bit is the most annoying part. I can't stand not being able to quickly skim and compare and since most restaurants have too many items on their menu at it is I find it especially annoying.

[–] [email protected] 13 points 10 months ago

I wear masks, carry stainless steel straws so I don't have to use paper ones. You want me to eat at your establishment more than once, don't make me use my phone at meal time.