Wales announces World's First Wikipedia Town

Filed Under: Mobile, Privacy

(NB. The Wales in the headline isn't Jimbo Wales, one of the founders of Wikipedia. It's Wales, the country on the mid-Western coast of the UK.)

You might not yet have heard of Wikipedia GLAM.

It's a project targeting galleries, libraries, archives and museums, aimed at "improving Wikipedia's coverage of topics related to the cultural sector".

GLAM has just over 30 participants at the moment, such as the Smithsonian Institution in the USA, the Australian Paralympic Committee & National Sport Information Centre, and the National Library of Israel.

Intriguingly, GLAM has just notched up its first complete town.

The Welsh town of Monmouth (or Trefynwy in Welsh) formally launched itself, over the past weekend, as the World's First Wikipedia Town.

The project aims to place QR codes - or, more precisely, QRpedia codes - at 1000 notable locations around Monmouth, a town rich in history and popular with tourists.

QR codes are two-dimensional barcodes, originally invented in the 1990s by Toyota in Japan to track vehicles during manufacturing. They're now seen fairly frequently in marketing campaigns, notably on street-level billboards.

Mobile phones with a camera and suitable software can capture, decode and act upon codes printed in adverts. The QR code typically unravels into a URL which is then displayed on the device.

The theory is that you no longer need to remember and later type in a URL. Pointing your phone at the advert and clicking the "snap photo" button is enough. You barely need to slow down, and you can examine the resulting content as you keep on walking.

Of course, as online interactions are simplified - made frictionless, in internet newspeak - security abuses are often simplified at the same time.

Naked Security wrote last year about the use of QR codes for parking payments in Islington, London. In this application, a QR code on a sign took you "frictionlessly" to the URL:

     http://m.paybyphone.co.uk/?
     utm_source=islington&
     utm_medium=qrcode&
     utm_campaign=mweb

As we mentioned in that article, the URL (which leads to an insecure site, albeit one which then redirects to an HTTPS site) is lengthy enough that it's unclear, on many mobile devices, quite what follows the "paybyphone" part of the URL.

Yet the next step - since this is all about paying for parking - is to create an account and to connect it to a credit card, details of which you are invited to type in.

A "hack" as simple as a sticker placed over the sign could be used to orchestrate a phishing attack.

Should we expect visitors to the world's first Wikipedia Town to be phished in this way?

The good news is that QRpedia codes currently unravel to consistently short URLs, of the form:

     http://xx.qrwp.org/yyyy

(The characters xx denote a language code, such as en for English.)

That ought to make it easy to check that a Wikipedia QR code really does take you to a known Wikipedia-owned URL. And, since Wikipedia is free, there should be no point at which you will be asked to give personal information such as credit card numbers or PINs.

It still pays to be careful, though, so:

* Stick to QR decoding applications which show you the full URL and ask for confirmation before rushing you there.

* Make sure that you know (and ideally can restrict) what sort of personal information is being bundled into the web requests generated by the QR decoding application.

Wikipedia's QRpedia codes, for example, rely on your language settings being transmitted in the web request, so Wikipedia can look for an an article in your preferred language. That's a nice idea, but remember that other users of QR codes may be hoping for much more information about you, such as your location.

Oh. And don't forget to exercise some caution before choosing a WiFi hotspot to use.

If you're an overseas tourist, the high cost of mobile data roaming makes WiFi - even paid WiFi - very attractive.

Let's hope that Monmouth, which is rolling out town-wide free WiFi as part of its GLAM project, offers fully-authenticated WiFi access to those who want better-than-usual security.

Certificate-based EAP WiFi authentication isn't as "frictionless" as basic WPA - you have to load a security certificate for the target network onto your device first. But it forces the network to identify itself to you, not just you to the network.

, , , , , , , , ,

You might like

5 Responses to Wales announces World's First Wikipedia Town

  1. How long til someone RickRolls Monmouth?

  2. Nigel · 862 days ago

    On its face (notwithstanding the security risks the article cites), this seems harmless enough. But the potential for other abuses that compromise security and personal liberty is enormous. Big Brother (as in Orwell's "1984") was frictionless too.

  3. Peter Davies · 862 days ago

    For your information, GLAM is the abbreviation of the county of Glamorganshire but Monmouth is nextdoor in Gwent!

    • Paul Ducklin · 862 days ago

      Maybe they should dump GLAM (Galleries, Libraries, Archives and Museums) for GWENT (Galleries, Workspaces, Exhibitions, National libraries and Towns).

  4. @ Paul Ducklin: genious!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog