Train staff didn't accept us presenting our digital ticket on ebook reader 🙄 - they are not allowed to scan arbitrary QR codes without "verifying where they are coming from".
Luckily enough, #PassAndroid was fine for them, because "some app" is apparently okay..
@eliasp Actually, the same staff member checked our tickets about an hour later on the way back (without recognizing us), and asked me to "scroll" in the app to show it's actually "an app" and not just a screenshot.
I feel like most people don't understand what the process of "scanning a QR code" actually means. To them, it seems to be comparable to waving a magic stick.
SNCB Europe, when you buy a ticket, will give it to you in one of two forms:
A ticket on the phone, in their app.
A paper ticket, delivered in PDF form.
YOU MUST PRINT THE PDF ONE ON ACTUAL PAPER OR IT IS NOT VALID. YOU CANNOT SHOW IT ON A SCREEN. VERBODEN. INTERDIT. FORBIDDEN. IT WILL BE REJECTED. NEVER. NIMMER. NYET. NO. NON. NEE.
Both have the exact same 2D barcode on them.
Digital signatures have been a thing for decades now.
Why?
(Edit: Wait... I'm talking to the Codeberg social media account? Huh.)
sounds like bad software, it seems like it does not account for malicious QR Codes, otherwise you wouldn't have to tell the staff to check for "arbitrariness" right?
when transporting your servers like that, do anticipate for dirt, and worse, rain. Two Ikea blue bags fit great for most servers ;) [one over the top, one over the bottom upwards due to dirt/mud coming from the floor).
At arrival, do acclimatize the server and ensure to reseat many cards; which is why a outer carton box is advised. Good luck with the new toy! -- fellow server-by-public-transport person ;)
@jeroen We were prepared for moist and rain, but it was a rather sunny day. We will clean up the interior (during the handover, at least one leaf fell in). But thank you for the hints!
To answer the initial question: This is what makes us nerds happy (in case you didn't expect an answer like this). An interesting experiment for us, too.
What this means in the long run for Codeberg? We're finally - thanks to the expertise and help of some volunteers - ready to expand our hardware infrastructure, making Codeberg more resilient to certain kinds of issues and improving availability in the long run.
@lynn We managed to break two of these server power supplies with a firmware update. And while searching for a fix, we have found videos demonstrating these very PSUs taking fire.
For those still wondering about why they were "not allowed" to scan the other QR code: I suspect this is related to potential abuse vectors via QR codes (yes, we know, requiring the hacker to spoof it via a fake app instead of an ebook is not the answer).
Kinda odd that the QR-code doesn't contain just a digital signature or something similar, and that their ticket-checking app might be vulnerable to it containing something malicious, like opening a random malicious URL.
I suppose it was just "QR code bad" and the policy wasn't thought through much more than that?
@mizah Well, in the case of the ICAR string as is the focus of the linked video, it doesn't even matter what the application does or does not with the data of the QR code. It's the antivirus software running in the background which recognizes that malware appeared in the memory that application is managing and which locks the system up
@peternerlich Sure, but for the user the result is the same: Some code crashed their system. And now they'll never ever scan a code from something that looks weird again, no matter if it makes sense or not.
It's just a wild guess, I didn't go into detail, was happy that PassAndroid was accepted. ~f @mizah
O… wow. So that’s an OS-level issue, you can just denial-of-service their ticket scanning phone, because the phone OS (or antivirus) doesn’t trust that you (or some random other code somewhere) know not to do something bad with the QR code?
That’s… nasty.
I suppose that “only scan stuff from the official app” isn’t as strange of a policy anymore, though the way the policy was interpreted by the staff member is still silly, obviously.
In all honesty... If they fear some malicious actors causing issues, then they shouldn't offer a QR-code-based system to begin with, if they can't be bothered having a solid system that prevents issues like this to begin with...
@programmerpony Thank you for your interest! You can request them for free with a Codeberg account by filing an issue here (we have a template for that): codeberg.org/Codeberg-e.V./req… ~n
@RedTechEngineer It was mostly considered an experiment for us, but it worked better than expected. We'll probably improve protection of the machine, though, just in case. ~f @sun
@kilgoretrout It was successfully accepted a few times for me, too. Some then required to also show my student ID and personal ID cards, because there was no "further information about me on the screen".
I could imagine that making the ebook slightly interactive with some buttons and references in the book, you might be able to convince them that it's just "an official app running on that epaper tablet". ~f
david
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Train staff didn't accept us presenting our digital ticket on ebook reader 🙄 - they are not allowed to scan arbitrary QR codes without "verifying where they are coming from".
Luckily enough, #PassAndroid was fine for them, because "some app" is apparently okay..
Elias Probst
Als Antwort auf Codeberg.org • • •Next time, hand-draw it, take a picture of it, then show it on your smartphone!
Codeberg.org
Als Antwort auf Elias Probst • • •Elias Probst
Als Antwort auf Codeberg.org • • •😑
They're basically doing client-side validation...
I feel like most people don't understand what the process of "scanning a QR code" actually means. To them, it seems to be comparable to waving a magic stick.
Chewie
Als Antwort auf Codeberg.org • • •What's the point? It's usually just a reference number you could read out anyway....
Nikita Karamov
Als Antwort auf Codeberg.org • • •> without verifying where they are coming from
I thought that's what the digital signatures are for??? 😂 Digitalisierung at it's finest
Albert Cardona
Als Antwort auf Codeberg.org • • •Mizah
Als Antwort auf Codeberg.org • • •Sensitiver Inhalt
SNCB Europe, when you buy a ticket, will give it to you in one of two forms:
YOU MUST PRINT THE PDF ONE ON ACTUAL PAPER OR IT IS NOT VALID. YOU CANNOT SHOW IT ON A SCREEN. VERBODEN. INTERDIT. FORBIDDEN. IT WILL BE REJECTED. NEVER. NIMMER. NYET. NO. NON. NEE.
Both have the exact same 2D barcode on them.
Digital signatures have been a thing for decades now.
Why?
(Edit: Wait... I'm talking to the Codeberg social media account? Huh.)
q.bin
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Axel :xmpp: :debian: :tux:
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Axel :xmpp: :debian: :tux: • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Erik
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Erik • • •Jeroen Massar
Als Antwort auf Codeberg.org • • •when transporting your servers like that, do anticipate for dirt, and worse, rain. Two Ikea blue bags fit great for most servers ;) [one over the top, one over the bottom upwards due to dirt/mud coming from the floor).
At arrival, do acclimatize the server and ensure to reseat many cards; which is why a outer carton box is advised. Good luck with the new toy! -- fellow server-by-public-transport person ;)
Codeberg.org
Als Antwort auf Jeroen Massar • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Waiting for the train ... we have all we need for "holidays" 😉
(posted a little late, because the train had bad WiFi)
zwangseinweisung
Als Antwort auf Codeberg.org • • •Uli Kusterer (Not a kitten)
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Codeberg.org • • •Checking the connections in a café, thanks to Öffi!
#OeffiApp #de_schildbach_oeffi
Codeberg.org
Als Antwort auf Codeberg.org • • •n0toose
Als Antwort auf Codeberg.org • • •TheTomas
Als Antwort auf Codeberg.org • • •fossdd
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf fossdd • • •fossdd
Als Antwort auf Codeberg.org • • •Michael
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Codeberg.org • • •To answer the initial question: This is what makes us nerds happy (in case you didn't expect an answer like this). An interesting experiment for us, too.
What this means in the long run for Codeberg? We're finally - thanks to the expertise and help of some volunteers - ready to expand our hardware infrastructure, making Codeberg more resilient to certain kinds of issues and improving availability in the long run.
Jürgen :verifiedgay_2:
Als Antwort auf Codeberg.org • • •Baloo
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Baloo • • •@baloo Emulating keyboard navigation for selecting the right boot device.
You know, not the kind of automation that is really worth the effort, but some fun. ~f
Baloo
Als Antwort auf Codeberg.org • • •Andre_601 🇨🇭 :kt_bs:
Als Antwort auf Codeberg.org • • •lynn
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf lynn • • •@lynn We managed to break two of these server power supplies with a firmware update. And while searching for a fix, we have found videos demonstrating these very PSUs taking fire.
So ... you never know! ~f
jacqueline 🌟
Als Antwort auf Codeberg.org • • •Jake Howard
Als Antwort auf Codeberg.org • • •unfa🇺🇦
Als Antwort auf Codeberg.org • • •chfkch :nixos: :rust:
Als Antwort auf Codeberg.org • • •Rack on the Lack.
Ikea customers will know.
R. L. Dane :debian: :openbsd:
Als Antwort auf Codeberg.org • • •Rackmount "laptop."
This is prime nerdery. 😄🤓🤓🤓🤓🤓
LumiWorx
Als Antwort auf Codeberg.org • • •[singing - off key]
Happy Holidays, 2U... (or is that 3U?)
Codeberg.org
Als Antwort auf LumiWorx • • •Andre_601 🇨🇭 :kt_bs:
Als Antwort auf Codeberg.org • • •alex
Als Antwort auf Codeberg.org • • •isа :luna: :jules:
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf isа :luna: :jules: • • •Professor Code
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Professor Code • • •@ProfessorCode
Yes,, with #coreboot (which now works after fixing some issues with standby with their help).
Unfortunately, the USB-C port failed after about one year, still not sure about the exact reason.
@starlabssystems
Max
Als Antwort auf Codeberg.org • • •lynn
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf lynn • • •@lynn Some accept printed paper, this depends on the rules of your company. For my ticket, I have an offer to "save it in my wallet" or to print it.
Depending on your ticket, you have to refresh it every month or more frequently, though.
Codeberg.org
Als Antwort auf Codeberg.org • • •For those still wondering about why they were "not allowed" to scan the other QR code: I suspect this is related to potential abuse vectors via QR codes (yes, we know, requiring the hacker to spoof it via a fake app instead of an ebook is not the answer).
Watch youtube.com/watch?v=cIcbAMO6sx… or read revk.uk/2020/01/eicar-test-qr.… for some background.
~f
EICAR test QR
www.revk.ukMizah
Als Antwort auf Codeberg.org • • •Kinda odd that the QR-code doesn't contain just a digital signature or something similar, and that their ticket-checking app might be vulnerable to it containing something malicious, like opening a random malicious URL.
I suppose it was just "QR code bad" and the policy wasn't thought through much more than that?
Peter Nerlich
Als Antwort auf Mizah • • •Codeberg.org
Als Antwort auf Peter Nerlich • • •@peternerlich
Sure, but for the user the result is the same: Some code crashed their system. And now they'll never ever scan a code from something that looks weird again, no matter if it makes sense or not.
It's just a wild guess, I didn't go into detail, was happy that PassAndroid was accepted. ~f
@mizah
Mizah
Als Antwort auf Codeberg.org • • •O… wow. So that’s an OS-level issue, you can just denial-of-service their ticket scanning phone, because the phone OS (or antivirus) doesn’t trust that you (or some random other code somewhere) know not to do something bad with the QR code?
That’s… nasty.
I suppose that “only scan stuff from the official app” isn’t as strange of a policy anymore, though the way the policy was interpreted by the staff member is still silly, obviously.
Andre_601 🇨🇭 :kt_bs:
Als Antwort auf Codeberg.org • • •JTW, Cornell '91
Als Antwort auf Codeberg.org • • •R. L. Dane :debian: :openbsd:
Als Antwort auf Codeberg.org • • •I avoid using the term "app" as much as possible, because I know full well that it is a PsyOp to normalize installing mal/spyware.
"Install our app" and "install our software" sound very different, even though they mean precisely the same thing.
Codeberg.org
Unbekannter Ursprungsbeitrag • • •Justin
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Justin • • •Codeberg.org
Unbekannter Ursprungsbeitrag • • •requests
Codeberg.orgCodeberg.org
Unbekannter Ursprungsbeitrag • • •It was mostly considered an experiment for us, but it worked better than expected. We'll probably improve protection of the machine, though, just in case. ~f
@sun
vv0r
Als Antwort auf Codeberg.org • • •Codeberg.org
Unbekannter Ursprungsbeitrag • • •@kilgoretrout It was successfully accepted a few times for me, too. Some then required to also show my student ID and personal ID cards, because there was no "further information about me on the screen".
I could imagine that making the ebook slightly interactive with some buttons and references in the book, you might be able to convince them that it's just "an official app running on that epaper tablet". ~f
Michael
Als Antwort auf Codeberg.org • • •Codeberg.org
Als Antwort auf Michael • • •