Wales announces World’s First Wikipedia Town

(NB. The Wales in the headline isn’t Jimbo Wales, one of the founders of Wikipedia. It’s Wales, the country on the mid-Western coast of the UK.)

You might not yet have heard of Wikipedia GLAM.

It’s a project targeting galleries, libraries, archives and museums, aimed at “improving Wikipedia’s coverage of topics related to the cultural sector”.

GLAM has just over 30 participants at the moment, such as the Smithsonian Institution in the USA, the Australian Paralympic Committee & National Sport Information Centre, and the National Library of Israel.

Intriguingly, GLAM has just notched up its first complete town.

The Welsh town of Monmouth (or Trefynwy in Welsh) formally launched itself, over the past weekend, as the World’s First Wikipedia Town.

The project aims to place QR codes – or, more precisely, QRpedia codes – at 1000 notable locations around Monmouth, a town rich in history and popular with tourists.

QR codes are two-dimensional barcodes, originally invented in the 1990s by Toyota in Japan to track vehicles during manufacturing. They’re now seen fairly frequently in marketing campaigns, notably on street-level billboards.

Mobile phones with a camera and suitable software can capture, decode and act upon codes printed in adverts. The QR code typically unravels into a URL which is then displayed on the device.

The theory is that you no longer need to remember and later type in a URL. Pointing your phone at the advert and clicking the “snap photo” button is enough. You barely need to slow down, and you can examine the resulting content as you keep on walking.

Of course, as online interactions are simplified – made frictionless, in internet newspeak – security abuses are often simplified at the same time.

Naked Security wrote last year about the use of QR codes for parking payments in Islington, London. In this application, a QR code on a sign took you “frictionlessly” to the URL:

As we mentioned in that article, the URL (which leads to an insecure site, albeit one which then redirects to an HTTPS site) is lengthy enough that it’s unclear, on many mobile devices, quite what follows the “paybyphone” part of the URL.

Yet the next step – since this is all about paying for parking – is to create an account and to connect it to a credit card, details of which you are invited to type in.

A “hack” as simple as a sticker placed over the sign could be used to orchestrate a phishing attack.

Should we expect visitors to the world’s first Wikipedia Town to be phished in this way?

The good news is that QRpedia codes currently unravel to consistently short URLs, of the form:

(The characters xx denote a language code, such as en for English.)

That ought to make it easy to check that a Wikipedia QR code really does take you to a known Wikipedia-owned URL. And, since Wikipedia is free, there should be no point at which you will be asked to give personal information such as credit card numbers or PINs.

It still pays to be careful, though, so:

* Stick to QR decoding applications which show you the full URL and ask for confirmation before rushing you there.

* Make sure that you know (and ideally can restrict) what sort of personal information is being bundled into the web requests generated by the QR decoding application.

Wikipedia’s QRpedia codes, for example, rely on your language settings being transmitted in the web request, so Wikipedia can look for an an article in your preferred language. That’s a nice idea, but remember that other users of QR codes may be hoping for much more information about you, such as your location.

Oh. And don’t forget to exercise some caution before choosing a WiFi hotspot to use.

If you’re an overseas tourist, the high cost of mobile data roaming makes WiFi – even paid WiFi – very attractive.

Let’s hope that Monmouth, which is rolling out town-wide free WiFi as part of its GLAM project, offers fully-authenticated WiFi access to those who want better-than-usual security.

Certificate-based EAP WiFi authentication isn’t as “frictionless” as basic WPA – you have to load a security certificate for the target network onto your device first. But it forces the network to identify itself to you, not just you to the network.