Clever. It's creating a 1x13 image and filling it, left to right, with rgb values that correspond to the hex values of each character in "Hello world!\n". Then using the "gray:filename" output to flatten each RGB value (like #484848) into one grayscale value (like #48, 'H').
He first fills it with 6C, which corresponds to a lowercase 'l', to reduce the amount of points that need to be filled in with something different...since 'l' is repeated a lot in "Hello world\n".
Not sure Cunningham's law really applies here. I wasn't aware of the "gray:" functionality before this post. And, as you say, doesn't work on gm anyway :)
Can't help but feel that this approach might not be that cursed after all, seeing how you actually went through the effort of automatically testing all of these.
Exploits come to mind. Since imagemagick's interface is the command line, you'll find many services where some parameter is not properly sanitised and you can inject extra options to "convert". This generator gives you easy to use arbitrary file creation gadgets which can be extremely useful to escalate access.
Imagine someone goes to scan the QR code for an TOTP generator, and they scan the image rather than type the values into the generator, they get their phone rooted.
Not a fun way to start a new job or journalism project or whatever.
This attack vector is why I'm not a huge fan of QR codes. I am required to use them for some work that I do, but they are created by me and I test them before publishing them. I had to trust the QR code isn't doing anything malicious like routing to an unknown server before redirecting to ultimate URL so it looks legite. There's just nothing in a QR code that allows for "guessing" if it's malicious or not.
The problem is not with QR codes themselves, but how readers/scanners present/use QR codes.
If you're not allowed to see the full URL/data inside the QR code when scanning it, before going to the URL/taking action on the data, then you need to try a different client.
Even the iOS provided ability with the Camera app only shows part of a URL and depending on the domain you might not even see the full domain.
I'm damn sure not installing a 3rd party app that I have even less trust in to not do something shady. Typically, if I'm only provided a QR code, then I move along to something else. It irks me to know end that I have to use them in the manner that I do, and voice my concerns anytime the discussion is held on if they are needed. Unfortunately, they are expected to be provided as has been suggested not quite a barcode replacement but similarly present in retail packaging
I think they're a good replacement for barcodes, like in a grocer since they scan more easily, but yeah QRishing is a thing and people need to quit using them all over the place.
It also has the side effect of leaving a little DNS trail for everything you buy on top of the credit card records.
(Also unclear why downvoted above? Was something in this thread inaccurate or incorrect? Feel free to respond in the comments, so I can understand how to better post, since I use those points as a guide as to whether my ideas have value, please don't pollute the signals I monitor.)
He first fills it with 6C, which corresponds to a lowercase 'l', to reduce the amount of points that need to be filled in with something different...since 'l' is repeated a lot in "Hello world\n".
Edit: A more compact way to get the same outcome: