Google Did Something REALLY Stupid - Protect Yourself!
Ғылым және технология
The dumbest move I've seen in a while...
• PART 2 (It's WORSE Than I Thought): • Google's Zip Domains A...
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: kzread.infojoin
▼ Time Stamps: ▼
0:00 - What's Going On?
1:37 - The Trick
3:12 - Is It Really That Bad?
3:54 - My Point: It's Still Worse
7:27 - Another Reason It's Bad
9:22 - How to Defend Against It?
9:54 - Just Block ALL .zip domains
10:22 - Blocking With DNS Services
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Пікірлер: 1 400
Even disregarding security risks, the obvious potential for confusing filenames and urls should have already been a dealbreaker.
@meghanachauhan9380
Жыл бұрын
Yea... It's gonna be a new golden era of hacking. Everything you built shall fall and on the ashes of your filesystems, we'll build a better one
@dingdong2103
Жыл бұрын
Even bigger problem is the way how Microsoft hides file extensions by default
@Darkn3ssF4ll
Жыл бұрын
Blame IANA
@ruadeil_zabelin
Жыл бұрын
@@dingdong2103 Yes! I hate that so much. Its such a security flaw its rediculous. It also doesnt make it any more easy to use either
@heavy0119
Жыл бұрын
@@meghanachauhan9380 fear mongering at its finest.
Using firefox tells a confirmation box if you want to browse the specific link after the '@' characters, while edge directly go to the link. Thumbs up firfox
@dluziond
Жыл бұрын
oh nice
@Finalizor
Жыл бұрын
more reasons to stay on firefox
@stupidfanboyph
Жыл бұрын
@@Finalizorut my office dont want to and keep Google Chrome. And with manifest v3 rolling out soon, not gonna be surprised if we get hacked or rnsmwred.
@ArtflPhenix
Жыл бұрын
hmm does not work on youtube comments specially the @ sign and any text is not included in the link
@fss1704
Жыл бұрын
@@ArtflPhenix you forgot to use the unicode slash
Google yet again proving they don't really care about user/consumer protection
@eIucidate
Жыл бұрын
Username: user Password: consumer
@breadone_
Жыл бұрын
im not even sure they dont care. theyre just completely incompetent
@near5148
Жыл бұрын
@@eIucidate hacker: imma type this is in
@Irobert1115HD
Жыл бұрын
its likely more someone with money but no brain getting to much to say at google. internet companys shouldnt be on sthe stock market and this is another piece of evidence.
@haroldcruz8550
Жыл бұрын
Never attribute to stupidity that which can be adequately explained by malice.
Imagine the nightmare of scams if Google releases domains of all types of file extensions 😱💀
@progCan
Жыл бұрын
google should have -infinity IQ to do that.
@sky_dragonsz
Жыл бұрын
they also added .mov
@p3rf3ctxzer0
Жыл бұрын
don't worry .rar4 is coming when google buys rar.
@BoltRM
Жыл бұрын
🔥😳🔥
@sc1ss0r1ng
Жыл бұрын
example.exe
A mistake from a multi trillion dollar company?! Dang.
@Splarkszter
Жыл бұрын
Worst is that they don't seem to want to back down "iT's ToO mUcH pApErWoRk" F_CK THEM ALL if you want something fixed, abuse it as hell.
@sihamhamda47
Жыл бұрын
And this is not their first mistake this year (because we have KZread starting to block any adblock extension from earlier this month)
@questaviation
Жыл бұрын
@@sihamhamda47 Bruh-
@charginginprogresss
Жыл бұрын
"mistake"
@MegasXLR
Жыл бұрын
@@sihamhamda47 if they block ad blockers I'm just not watching anymore KZread lmao I will not tolerate 2 30 second ads on a 3 minute video!
I consider myself a computer expert, but with decent social engineering, I would totally fall for this.
@ExacoMvm
Жыл бұрын
I wonder in what kind scenario? I honestly don't really see myself falling for it, the username:password URL thing yes but whatever goes after that would be harmless to me, unless it's some super SE e.g. Patreon or Discord Mod/Admin's of some plugin/tool or modded game gets hacked and someone edits one of the links with own attached malware, but it doesn't mean that someone couldn't simply replace the file with their own so the .zip domain maybe adds some risks but not really that much, it's just +1 way of hacking someone of a hundreds of ways.
@bestaround3323
Жыл бұрын
@Exaco I mean those who think themselves unable to be fooled are some of the simplest to fool. Hubris will get you in trouble.
@haukikannel
Жыл бұрын
Yeah… A post from my own company would go unnotised… This is really bad…
@ember9361
Жыл бұрын
@@ExacoMvm 5:10 About a third of this video is giving examples bud.
@technocracy90
Жыл бұрын
@Exaco Oh yeah, a classic "computer expert" saying more security hazards for "average people" is not a big deal, as if computers are only used by "experts". A friendly reminder is that even such tools that are used by nobody else than astronauts level experts, such as spacecraft themselves, are designed super carefully to minimize potential hazards. Imagine a single astronaut saying "eh I'm an expert so poor UI is not a big deal, make the numbers more confusing and I can deal with them" and you'll be like "wow what an expert he is" right?
It's funny how Google with all it's technically skilled engineers and programmers can somehow reach the conclusion that a dot zip domain is somehow a great idea.
@redstoneparadox
Жыл бұрын
This is probably coming solely from corporate; the engineers probably realized that their concerns would at best fall on deaf ears.
@aquarius5719
Жыл бұрын
I used to believe that to work at Google you had to be brilliant. Now I am not sure.
@ember9361
Жыл бұрын
@Central Based Agency are you seriously blaming immigrants in this? Lmfao
@notcorrect
Жыл бұрын
Google did this so they can make a quick buck off of scammers. They know what they are doing.
@LauraLovesHugs
Жыл бұрын
@@ember9361 yeah lol this decision REEKS of high level executives trying to make some extra money wherever they can while ignoring engineers, immigrant or otherwise. being racist doesn't solve any of these problems it's just pointing fingers at a group that isn't responsible and excusing the people who actually are.
I literally had to explain the different between home wifi and mobile data to a family member its going to be hard to explain .zip and the dangers. I feel like this was a google employee joke that went so far to become true.
@bountoj
Жыл бұрын
Holy shit, I thought I was the only one. A good majority of my family members don't understand this.
@tj71520
Жыл бұрын
most computer users will be powerless against this new problem 😢
@FlyboyHelosim
Жыл бұрын
Yeah, my dad's using limited mobile data like it's unlimited Wi-Fi. 😳
@DavidM2002
Жыл бұрын
That is far more common than you might think. If you say "data" to many people, they equate that to cell data usage; it's either "wifi" or "data" if they even understand that.
@Liggliluff
Жыл бұрын
And people saying "wi-fi" when they mean internet is already common. Wi-fi is wireless connection irregardless of an internet connection. You can have wi-fi and no internet.
Zip is a file extension so why confuse things by making it a domain. With companies out there making dumb decisions staying safe has got so much harder.
@thedrunkenrebel
Жыл бұрын
There should be a blacklist of words unable to be used for certain computer stuff, and it's funny why the past 4 decades haven't sprouted such list
@eddielowe8189
Жыл бұрын
@@thedrunkenrebel I fully agree, that some words should never be used for more than one purpose. We are being forced to use programs and trust them to keep us safe because companies make bad choices. the average user may not be aware they have holes in the network and those that do will forever be fixing them because of companies like Microsoft.
@gardian06_85
Жыл бұрын
it mostly comes down to there are only so many 3 character combinations, and the decision to have the majority of TLDs be 3 letters (easier to remember, easier to identify, less likely to be confused or misrepresented), but still be meaningful at least in English. then almost anyone with enough funding and infrastructure can register a TLD. what probably happened here was Marketing handed down a list they came up with, and either it was given to a few of the thousand some people that were pre-poached as something to do. Or a fully versed team tried to give push back, but was told it was a required directive, and they HAD to complete.
@ericb6048
Жыл бұрын
it's not a mistake, it's tactical agenda IMO. They're distressing the internet users to offer digital ID as the fix.
@ens0246
Жыл бұрын
I went on the site to see what their justification for creating this domain is and it's literally just "zip domains let your customers know you're fast paced and a real cool guy" unbelievable
Please don't forget that Google also released the .mov TLD (Top-Level-Domain) which can be ALSO seen as a file extension, in this case .mov witch is a MPEG-4 Apple Quick Time file format!
@philadams9254
Жыл бұрын
Yeah, that's also dumb. All so they can troll Apple apparently
@tookitogo
5 ай бұрын
FYI, .mov is _any_ QuickTime movie, regardless of codec used. .mov is a container format that doesn’t tell you anything about the contents within.
I've been suffering Google's ""mistakes"" lately: - Only can debloat Android TV from outside the system. - Can't disable Bluetooth discovery on some Android TVs. - Chromcast built in "guest mode" enabled by default and can only be disabled by Google Home app, or disabling the chromecast app entirely. And so on... That's why rooting devices and having advanced options for the ones who know what they are doing is mandatory to avoid headaches from this multi billon corporations that see you only as a product, so they don't care the problems they produce in your day to day life...
@hydra3693
Жыл бұрын
not to mention no banking apps for custom ROMs without stupid cat and mouse workarounds that may randomly stop working and rely on deprecated access modes. Android peaked in 2014.
@tehdanny682
Жыл бұрын
I recently ordered an Android TV and wasn't aware of these issues, so thanks for the warning, I'll take a look at those when I get the TV.
@tehdanny682
Жыл бұрын
@@hydra3693 hmm yes, I know some of these words. Are you handling your banking on your TV? Or is that an Androind phone issue
@encycl07pedia-
Жыл бұрын
@@tehdanny682 I got a Chromecast recently with KZread TV (I'm not sure if it's the same thing UI-wise). Bloat is a nuisance more than anything else. I'm not saying it's good, but it's not, AFAIK, some major security issue. The most aggravating thing about it is the lack of buttons on the remote virtually forcing you to use voice recognition to do anything. It's hard to blame Google for Android failings when Android is often modified by the OEMs. Samsung's Android is quite different from Google's.
@tehdanny682
Жыл бұрын
@@encycl07pedia- Ah, so I'm not necessarily getting bloat issues with my Philips android tv, it's just that some companies adds all of their apps, makes sense.
6:14 Fun fact, Discord actually hides credentials in URLs, so people would be less likely to get tricked!
@ThioJoe
Жыл бұрын
Good to know
@jer1776
Жыл бұрын
Itll probably take Google months to make a Chrome/Gmail update that does that.
@hadassahsoddsandends
Жыл бұрын
@@ThioJoe It might be good to know, if I understood what it meant!
@MyMobileGames
Жыл бұрын
@@hadassahsoddsandends somthing private information
@encycl07pedia-
Жыл бұрын
@@hadassahsoddsandends "Credentials" is just a way of saying username and password, essentially: the stuff you need to log in to a website.
In a couple of months google will announce that Chrome will block zip domains by default to protect users. They’ll spin it that they are the only company that cares about this issue and if you want protection you must use Chrome.
Ah.. yes... From the 1.56 Trillion Dollar company. Keep it up Google 👍🏻
@hungariancountryball2928
Жыл бұрын
Lol
@RKlol24
Жыл бұрын
Literally google fail moment💀💀
@killedbydead2953
Жыл бұрын
How STUPID can they be??!!
@goodgoyim9459
Жыл бұрын
indian power, so remarkable woooow
@beforedrrdpr
Жыл бұрын
@@goodgoyim9459 what?! 😅
Cheers mate, I'm a senior infosec resource for a 150,000 person business and I've used your video as our internal assessment. I've always liked your approach to content on InfoSec topics.
Why is every company destroying themselves rn?
@justsomeguywithoutamustang6436
Жыл бұрын
I knew it! Google being run by Aliens
@goodgoyim9459
Жыл бұрын
@@justsomeguywithoutamustang6436 i thought it was just indians?
@hungrygrimalkin5610
Жыл бұрын
Haven't you seen the google graveyard? Google is a failure, they got the low hanging fruit of search engine monopoly at a time with almost non existent alternatives and dominated through that same search engine. If Google were to start nowadays, nobody would know them.
@mind_of_a_darkhorse
Жыл бұрын
One word sums up their self-destruction...greed! When profits are more important than the product or the workers, it is a sure sign of eventual collapse! The pursuit of constant growth is unsustainable!
@ItsWuLx
Жыл бұрын
@@goodgoyim9459 bros a bot
Google Chrome should implement -the same- a similar warning as firefox did, -when the domain you'd actually end up at doesn't require authentication in the url.-
@fss1704
Жыл бұрын
it doesn't solve much
@tpkowastaken
Жыл бұрын
@@fss1704 Yeah hackers can just require authentication
@MasicoreLord
Жыл бұрын
@@tpkowastaken seems chrome removed support for that auth method in url years ago, and it just strips them out prior to navigating So looks like that warning would have to be something else.
@autohmae
Жыл бұрын
@@MasicoreLord no, it's worse, the behavior in Chrome hasn't changed, it's the same behavior IE removed over 15 years ago. I just tested, give it a domain with username and password and it will visit the website and authenticate with username and passport and as every browser has done: does not show anything about that in the URL, just the domain/website
@goku445
Жыл бұрын
Why do you use a product made by the enterprise that's the root cause of the issue?
Sometimes I feel that big companies like Google make such mistakes deliberately to sell you some extra useless feature claiming they’re protecting you.
I noticed that Firefox would show a prompt saying your logging into a site, and with the true domain. This would probably stop most phishing attacks if it was implemented in other browsers.
@ronnyparker7148
Жыл бұрын
well google owns firefox, so what do you think that says about concern for users/customeers
@Atlessa
Жыл бұрын
Google owns Firefox? Since when?
@Legendendear
Жыл бұрын
@@Atlessa They dont, but Firefox is financed by google. (To avoid monopoly lawsuit)
@Sid-69
Жыл бұрын
@@Legendendear And Apple financed Microsoft at one time. (Or was it vice versa?🤔) Anyway, financing ≠ owning
@Legendendear
Жыл бұрын
@@Sid-69 Isnt that exactly what I said?
7:00 You can't have underscores in domain names but dashes are certainly possible.
@ThioJoe
Жыл бұрын
Ah i see, yea same idea
@underscore.
Жыл бұрын
haha 7:00 and 7 likes
@SCIBER-IO
Жыл бұрын
How did you spot that dam.. Please print screen this command and show it in ur next salary discussion u deserve a raise dude
@Sid-69
Жыл бұрын
Can you have dashes either? I think you mean hyphens
@tin2001
Жыл бұрын
@@Sid-69 Difference? Aren't dashes and hyphens the exact same character?
There should be a feature where when you hover over a link, it highlights any particularly suspicious characters such as the at symbol or suspicious Unicode characters or lookalike characters in red, to alert the user that it's likely a dangerous link.
Firefox apparently warns you if you try to go to a URL with an @ so that's nice
@eekee6034
Жыл бұрын
It didn't warn me just now. Firefox version 113.0.2.
@thepikachugamer
Жыл бұрын
@@eekee6034 It is for me, tested with the url in the pinned comment. 113.0.2 (64-bit)
@xXVibrantSnowXx
Жыл бұрын
i use latest firefox, didn't get any warning
I caught the @ right away. It reminded me of a link an acquaintance sent me years ago with a username and password built in. But yeah, the vast majority of people I know wouldn't think anything of it. If I didn't have that previous experience, I might not either.
This is not a mistake. Google knows that scammers and malicious actors will pay for these domains, thus making them more money. It's always about money.
@memyshelfandeye318
Жыл бұрын
How does Google make money from domains? Hint: Google is not selling domain names ...
@JaivianDean
Жыл бұрын
@@memyshelfandeye318 .zip domains are currently being sold for 15 dollars/yr. This is because they just got released
@Mario583a
Жыл бұрын
@@memyshelfandeye318 Fine, we'll do it ourselves!!
@humilulo
Жыл бұрын
@@memyshelfandeye318 no, when a company buys a TLD they buy the rights to sell domain names with that TLD ending. so this means Google bought rights to sell domain names that end in '.zip'.
@ericb6048
Жыл бұрын
@@humilulo also, the premium domains add an approximate minimum of 1million. Google makes a million in seconds.. so the real culprit here is probably to break the internet, and rush in digital ID for their WEF and govt agency masters.
The biggest issue is autolinking though. So if you send someone an attachment, and mention the name of the zip file in the email, and the receiver clicks that link instead of the actual attachment, they'll be directed to that site which may or may not be malicious.
@ImpossibleOrange
Жыл бұрын
yeah, I see how this feature can be used without the .zip bit. having a legit looking url with @example .[any available domain] is still a really good way to trick someone. Unless you're aware about the @ exploit you wont have a clue. Since firefox already has a warning for it someone probably tried something like that already.
@ImpossibleOrange
Жыл бұрын
with autolink just take a domain with a common filename like presentation, project etc. and load it up with a virus
Another thing I would like to point out is that there are also malicious "mov" domain names as well that google let you register So watch out for those as well cheers
I still can't believe how well you transitioned from tech pranks to being an actual tech channel.
NextDNS is actually free for the first 300,000 queries/month (When exceeding the free monthly quota, NextDNS will continue to answer DNS queries like a classic non-blocking DNS service)
ThioJoe is the one scientist that warns everyone before the destruction.
@lmaoidgaf
Жыл бұрын
Obviously no one hears him now until some big scam got played using this trick and then everyone becomes an expert 😂
@nicholasvinen
Жыл бұрын
“Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”
@Sid-69
Жыл бұрын
"Thio Oppenheimer"
Good to know that someone is savvy enough to alert us netizens on upcoming scams and corporate stupidity. Thanks for the heads up!
I do really appreciate the time you take to make videos like this one, alerting us of potential dangerous situations. Thanks.
The issue isn't really the .zip extension but rather that browsers still support that antiquated URL format in the first place.
Yeah, I have always been very good at spotting suspicious urls but this may very well trip me up in future given that I pull from github and other codebases a lot! Google should just park this domain extension never to be used by anyone
I definitely think you're right about this one. Even those of us on Linux could potentially have a problem with it. The only solution I offer is to manually type in the domain name of whatever website you want to visit and once you've navigated somewhere within that site bookmark it and only ever use the bookmark going forward.
@charleswhite2426
Жыл бұрын
That has been my practice for awhile now.
@Sonario648
Жыл бұрын
But how would you know the name of the exact url without first typing it in?
@anon_y_mousse
Жыл бұрын
@@Sonario648 You wouldn't need to know the exact URL, just the domain name. As I said, navigate from there to where you need to be on a given site and bookmark that.
@xXVibrantSnowXx
Жыл бұрын
@@anon_y_mousse That barely fix half the problem
I absolutely agree with you. I could see myself falling to that type of scan and I consider myself fairly aware of scams.
Appreciate your keeping us on top of this! Thank you very much Joe!
No I'm thankful that you take the time to make these videos for us. I believe if your worried about security you have to be aware of the smallest details. Thank you and be safe .
Thanks Joe, I'm already on facebook in my local community spreading this info. This is a really stupid move by google.
This is pretty incredible, I was being safe about clicking links before but having to read the end of it every time is a bummer.
I am really surprised nobody at google could convince Google not to do this. That they would think this was an acceptable thing to do is just really bad for security.
BRUH. Is Google trying to help scammers or what?
@aerosw1ft
Жыл бұрын
They didn't even bother fixing scammers in youtube comments, don't think this would be any different
@ilovefoxes344
Жыл бұрын
Google is literally on Team Scam!
@hdezn26
Жыл бұрын
Google is paid directly by scammers.... why do we see bad ads, spam ,and other shady **** on google's platforms? That's why..... And that's why I block ads due to this... Google ain't going to give up that Scammer money especially after they lost all that ad revenue in the ADpocalipse.... and other incedents afterward... Also hour or multi-hour long ads... that's just a joke... If I wanted to watch a Infomercial.... I'd stay up late at night to see em... Sorry... Rant.
@Fighter_Builder
Жыл бұрын
They already don't do anything about scammers buying Google Search ads for popular software like OBS, so at this point I'd be legitimately surprised if they weren't actively trying to help them.
@ilovefoxes344
Жыл бұрын
I am starting to believe that Google's CEO is the world's best scammer.
Damn! this was worse than I initially thought! Thanks for educating and explaining the mitigations :)
I love your content over the years and this is a helpful video for lot of people . Thank you and keep more coming
Wow...this is insane. Thanks for the heads-up!
That's why google don't fight scammers, it loves them.
1:20 "Can you tell which one would download a .zip file with a virus in it?" Me who already watched sytonic's video -
Yes, this is a big problem. Thank you for the video !
I would like to correct that this isnt that big of a deal, because you can make this with any domain and then redirect it to a malicious link
This does seem like a bad idea, but what you didn't cover is why Google thinks it's a good idea in the first place. One would think they would have considered the downside to having this but the advantages outweigh the disadvantages. Could you make an update to your post that looks at this?
Thanks for videos like this... there is too many scammers out there - its good to know how to recognize them
I have a feeling there's a catch. Even if it's benign, no one would want to click on it, so therefore, who would want to register it?
I love your channel, wish there were more hours in the day for us students that have to work.
All this time .. _years_ lol .. I thought facebookmail *_WAS_* a spam/phishing domain. The more you know! 🌠 Thanks Thio! Also .. yes .. this new TLD is ridiculously dumb and dangerous.
Thanks again, Joe. Love your channel, bro.
Thanks, the explanation was really thorough
ThioJoe has been quietly becoming one of the most helpful KZreadrs.
In order to 'ID' ambiguous website names, URLs, etc, I copy the name and paste it in Notepad, as you mentioned.
Thank you for this and just "Oh Dear!"😮😅
Ty for the update thio!!!
This is gonna make not falling for those emails even harder, and help spawn more Scam Channels. Shout out to LTT.
Google is evolving backwards
Definitely forwarding this to my companies IT department!
I'm so glad to give you a second chance and that I actually watch your content now. Thanks for the heads up!
Ofcourse, google enabling hackers!!!
@borisvolski
Жыл бұрын
Android 13 limiting access without pc And hackers already got a virus to this OS before Android 13 made it to at least half of devices, bravo
Thank you for the information. I learned something I did not know and I'm a retired IT professional.
How do we change the font in the Chrome and Edge address bars (omnibars)? It appears to be stuck at the ambiguous insecure Segoe UI, where upper case i looks like lower case L. I tried to change it to a secure font, Tahoma or Verdana, but the change does affect the address bar. The setting is in Settings/Appearance/Custom Fonts, but it doesn't affect the address bar fonts. Fixing the font there would not solve the @ problem, but in Verdana the different foward slashes are distinct looking too.
@Microwave_Dave
Жыл бұрын
Easy solution - don't use Chrome or Edge. Use a browser that actually cares about your security. There is no reason why anybody should ever recommend Chrome to anybody else.
Bro I swear I like your videos you the best
If you don't want to use a web based redirect for that TLD, you can edit your windows host file and add an entry.
yeah, the Sun Audio file caused so much confusion in Gopher for any Australian site back in the day.
Why does a for profit corporation even have the ability to register a new top level domain? Thats a better question.
@Philonix
Жыл бұрын
probly the icann root servers and operations cost a lot, but its somewhat better to have that publicly funded than evil corp funding it, to keep links working and site data save., but owners of top level suffixes host own servers, to know if that is the real one, icann only needs to host the top, and that is probly not a lot of data, but that is the tlds, maybe ips are a lot more work to keep uptodata
2:26, Simple browser fix, just don't treat anything with a protocol at the start as an email address, doesn't matter how many email addresses that break, they'll just have to get special exceptions made for them, or they just stay broken, either way the browser needs some sort of protection against the hack even if it means inconvenience for an unlucky few
@cameron7374
Жыл бұрын
It's not an email address, it's a username for a website.
@zxuiji
Жыл бұрын
@@cameron7374 That's still an email address in short form. Either way the URIs in question are neither and are supposed to be just normal URLs hence the need for the browser to have more robust checks anyways. I'll admit if I was still naive enough to think that there's no way a simple URL could be made to be interpreted differently by the vs the browser, I would probably have done just simple checks too, now a looped string compare instead of character compare is needed to protect against such attacks
About the people saying it's no big deal because coming up with lookalike domains can already be done: that does not mean we should be giving bad actors an extra tool!
I wasn‘t aware of that risc, thank you very much.
Yeah, I don't think @Google thought this one through.
Everthing is sus when there is an "@" in your link and it's not an e-mail.
@Jacob-ABCXYZ
Жыл бұрын
On that topic, that would be an interesting way to use this
For windows home versions you can edit the host file to blacklist certain domains
Microsoft, Google, Apple could patch this issue with adding a user prompt whenever a “.zip” is actually a redirecting to an actual file or is malicious. Or patch it by adding protections similar to how you would patch sql injections in php.
Surely the point is, all those defenses of this new practice are just hand waving. How 'bout you just not do something stupid to begin with, Google?
Good to see you using your status to protect others. Most suss thing I seen was dodgy github links.
Great video as always. I have a doubt though. What if I right-click the link and select *save as..."? What shows up? A .zip file or a .html file?
Thank you for the warning and explanation. It is appreciated.
Quad9 is one of the best, if not the best, free security DNS providers. Reviews and tests have shown they have the most comprehensive malware and phishing blocking available.
@endeavor911
Жыл бұрын
Yes, they have the best malware and phishing filtering and they're also Swiss-based non-profit. They have servers worldwide in more than 200 locations in 90 nations.
Google really dropped the "don't" from "Don't be evil."
I agree! I knew one was fake when i saw the @ sign, but i thought it was the other way around. I didnt think of what you said. I use the feature all the time when i use my ftp servers.
@fredericapanon207
Жыл бұрын
@Dennis Smiley, ftp is deprecated these days because it is not a secure protocol. That password is sent in clear text which can be captured by a bad actor. SSH is the replacement secure protocol.
Just retype the domain in the browser and disable autodownload. Risk mitigated.
@LabArlyn
Жыл бұрын
This is a nice solution I often use.
@lxp
Жыл бұрын
Not much use to a novice
Jfc they must have seen this coming? Yet they chose to go threw with this?
This could be done with any extension already. Its not as directly a file like .zip but you could do it wiih an html page or aspx page too. The UserName:Pass@ format it self should have been decommissioned years ago due to a lack of security in the first place.
An interesting issue is one where you are trying to download a legitimate zip file from a certain site. Having an @ sign in the link before the filename could make someone think that they are downloading the legit file (same name and everything), but because the link goes to a different location you could be downloading anything.
So the top engineers in a top tech company can't figure it out 😕
@fredericapanon207
Жыл бұрын
@Jack, the engineers had nothing to do with that decision. Marketing all the way.
I would like to have a FONT when the similar unicode characters, and hiddens ones, etc are understanably different than the valid ones!... Anyone?
TBH since most downloads are hidden behind web pages with so many random characters in the URL I rarely used to bother looking at the end of the URLs to verify them (though I will be looking through the whole URL for @s now) so this sort of thing probably could have got me anyway by sneaking an @ near the end of the link. Is there a way to locally disable following any URLs with a username and password in them?
How could we live without you ThioJoe!
Let me know if I am wrong a zip file needs to be extracted, so if you see this and the file does not have to be extracted this should set the alarm bells going off. The only reason I can come up with is they are trying to make all zip files suspicious.
@Adriethyl
Жыл бұрын
There are way too many people on the internet that are dumb asf. They might not even notice at all.
@xe-wf5iv
Жыл бұрын
They couldn't even make it a self-extracting zip either. Because even the AV baked into windows would instantly flag the file as malicious.
Google isn't Google anymore. They see people as just money.
@MeroSany
Жыл бұрын
I think Microsoft like that too, Am I right?
@idan678
Жыл бұрын
@@MeroSany for real.. win11 spyware bloatware edition is f*ing BS with their force account
@TorutheRedFox
Жыл бұрын
@@MeroSany yup
What if there was an extensions that prevented any URLs that have an @ sign? How many sites use these kind of URLs?
It's easy to tell if it's real or fake the @ instead of the normal way it looks odd. Normal domains won't have an @ usually it's just /whatever zip so with the @ sign on domain won't look normal and that will be a red flag.
But isn't this better than the alternative, Thio? Google could will be held accountable if they sell .zip to malicious personnels. If this Top Level Domain was launched by any other lesser known company (the alternative), they couldn't be held as accountable, right? Sorry if I'm being ignorant.
@andygardiner6526
Жыл бұрын
Google will sell domains like any other TLD owner - there's no other reason to own it apart from control. AFAIK no other TLD owner has ever been held responsible for registration of domains by "malicious personnels".
@Liggliluff
Жыл бұрын
Is the company held accountable who sold the tools that the criminal used for malicious intent? I don't think so.
Thanks for making this video. I shared it with coworkers.
Once again...Thank you!
This is to go along with them scanning the contents of encrypted zip files. It's a cross promotional thing, you wouldn't get it.