Google Did Something REALLY Stupid - Protect Yourself!
Vložit
- čas přidán 8. 07. 2024
- The dumbest move I've seen in a while...
• PART 2 (It's WORSE Than I Thought): • Google's Zip Domains A...
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: czcams.com/users/ThioJoejoin
▼ Time Stamps: ▼
0:00 - What's Going On?
1:37 - The Trick
3:12 - Is It Really That Bad?
3:54 - My Point: It's Still Worse
7:27 - Another Reason It's Bad
9:22 - How to Defend Against It?
9:54 - Just Block ALL .zip domains
10:22 - Blocking With DNS Services
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Věda a technologie
Even disregarding security risks, the obvious potential for confusing filenames and urls should have already been a dealbreaker.
Yea... It's gonna be a new golden era of hacking. Everything you built shall fall and on the ashes of your filesystems, we'll build a better one
Even bigger problem is the way how Microsoft hides file extensions by default
Blame IANA
@@dingdong2103 Yes! I hate that so much. Its such a security flaw its rediculous. It also doesnt make it any more easy to use either
@@meghanachauhan9380 fear mongering at its finest.
Using firefox tells a confirmation box if you want to browse the specific link after the '@' characters, while edge directly go to the link. Thumbs up firfox
oh nice
more reasons to stay on firefox
@@Finalizorut my office dont want to and keep Google Chrome. And with manifest v3 rolling out soon, not gonna be surprised if we get hacked or rnsmwred.
hmm does not work on youtube comments specially the @ sign and any text is not included in the link
@@ArtflPhenix you forgot to use the unicode slash
Imagine the nightmare of scams if Google releases domains of all types of file extensions 😱💀
google should have -infinity IQ to do that.
they also added .mov
don't worry .rar4 is coming when google buys rar.
🔥😳🔥
example.exe
Google yet again proving they don't really care about user/consumer protection
Username: user
Password: consumer
im not even sure they dont care. theyre just completely incompetent
@@eIucidate hacker: imma type this is in
its likely more someone with money but no brain getting to much to say at google. internet companys shouldnt be on sthe stock market and this is another piece of evidence.
Never attribute to stupidity that which can be adequately explained by malice.
I consider myself a computer expert, but with decent social engineering, I would totally fall for this.
I wonder in what kind scenario?
I honestly don't really see myself falling for it, the username:password URL thing yes but whatever goes after that would be harmless to me, unless it's some super SE e.g. Patreon or Discord Mod/Admin's of some plugin/tool or modded game gets hacked and someone edits one of the links with own attached malware, but it doesn't mean that someone couldn't simply replace the file with their own so the .zip domain maybe adds some risks but not really that much, it's just +1 way of hacking someone of a hundreds of ways.
@Exaco I mean those who think themselves unable to be fooled are some of the simplest to fool. Hubris will get you in trouble.
Yeah… A post from my own company would go unnotised…
This is really bad…
@@ExacoMvm 5:10
About a third of this video is giving examples bud.
@Exaco Oh yeah, a classic "computer expert" saying more security hazards for "average people" is not a big deal, as if computers are only used by "experts".
A friendly reminder is that even such tools that are used by nobody else than astronauts level experts, such as spacecraft themselves, are designed super carefully to minimize potential hazards. Imagine a single astronaut saying "eh I'm an expert so poor UI is not a big deal, make the numbers more confusing and I can deal with them" and you'll be like "wow what an expert he is" right?
A mistake from a multi trillion dollar company?! Dang.
Worst is that they don't seem to want to back down "iT's ToO mUcH pApErWoRk"
F_CK THEM ALL
if you want something fixed, abuse it as hell.
And this is not their first mistake this year (because we have CZcams starting to block any adblock extension from earlier this month)
@@sihamhamda47 Bruh-
"mistake"
@@sihamhamda47 if they block ad blockers I'm just not watching anymore CZcams lmao I will not tolerate 2 30 second ads on a 3 minute video!
It's funny how Google with all it's technically skilled engineers and programmers can somehow reach the conclusion that a dot zip domain is somehow a great idea.
This is probably coming solely from corporate; the engineers probably realized that their concerns would at best fall on deaf ears.
I used to believe that to work at Google you had to be brilliant. Now I am not sure.
@Central Based Agency are you seriously blaming immigrants in this? Lmfao
Google did this so they can make a quick buck off of scammers. They know what they are doing.
@@ember9361 yeah lol this decision REEKS of high level executives trying to make some extra money wherever they can while ignoring engineers, immigrant or otherwise.
being racist doesn't solve any of these problems it's just pointing fingers at a group that isn't responsible and excusing the people who actually are.
I literally had to explain the different between home wifi and mobile data to a family member its going to be hard to explain .zip and the dangers. I feel like this was a google employee joke that went so far to become true.
Holy shit, I thought I was the only one. A good majority of my family members don't understand this.
most computer users will be powerless against this new problem 😢
Yeah, my dad's using limited mobile data like it's unlimited Wi-Fi. 😳
That is far more common than you might think. If you say "data" to many people, they equate that to cell data usage; it's either "wifi" or "data" if they even understand that.
And people saying "wi-fi" when they mean internet is already common. Wi-fi is wireless connection irregardless of an internet connection. You can have wi-fi and no internet.
Zip is a file extension so why confuse things by making it a domain. With companies out there making dumb decisions staying safe has got so much harder.
There should be a blacklist of words unable to be used for certain computer stuff, and it's funny why the past 4 decades haven't sprouted such list
@@thedrunkenrebel I fully agree, that some words should never be used for more than one purpose. We are being forced to use programs and trust them to keep us safe because companies make bad choices. the average user may not be aware they have holes in the network and those that do will forever be fixing them because of companies like Microsoft.
it mostly comes down to there are only so many 3 character combinations, and the decision to have the majority of TLDs be 3 letters (easier to remember, easier to identify, less likely to be confused or misrepresented), but still be meaningful at least in English.
then almost anyone with enough funding and infrastructure can register a TLD.
what probably happened here was Marketing handed down a list they came up with, and either it was given to a few of the thousand some people that were pre-poached as something to do. Or a fully versed team tried to give push back, but was told it was a required directive, and they HAD to complete.
it's not a mistake, it's tactical agenda IMO. They're distressing the internet users to offer digital ID as the fix.
I went on the site to see what their justification for creating this domain is and it's literally just "zip domains let your customers know you're fast paced and a real cool guy" unbelievable
Cheers mate, I'm a senior infosec resource for a 150,000 person business and I've used your video as our internal assessment. I've always liked your approach to content on InfoSec topics.
I've been suffering Google's ""mistakes"" lately:
- Only can debloat Android TV from outside the system.
- Can't disable Bluetooth discovery on some Android TVs.
- Chromcast built in "guest mode" enabled by default and can only be disabled by Google Home app, or disabling the chromecast app entirely.
And so on...
That's why rooting devices and having advanced options for the ones who know what they are doing is mandatory to avoid headaches from this multi billon corporations that see you only as a product, so they don't care the problems they produce in your day to day life...
not to mention no banking apps for custom ROMs without stupid cat and mouse workarounds that may randomly stop working and rely on deprecated access modes. Android peaked in 2014.
I recently ordered an Android TV and wasn't aware of these issues, so thanks for the warning, I'll take a look at those when I get the TV.
@@hydra3693 hmm yes, I know some of these words. Are you handling your banking on your TV? Or is that an Androind phone issue
@@tehdanny682 I got a Chromecast recently with CZcams TV (I'm not sure if it's the same thing UI-wise). Bloat is a nuisance more than anything else. I'm not saying it's good, but it's not, AFAIK, some major security issue. The most aggravating thing about it is the lack of buttons on the remote virtually forcing you to use voice recognition to do anything.
It's hard to blame Google for Android failings when Android is often modified by the OEMs. Samsung's Android is quite different from Google's.
@@encycl07pedia- Ah, so I'm not necessarily getting bloat issues with my Philips android tv, it's just that some companies adds all of their apps, makes sense.
Please don't forget that Google also released the .mov TLD (Top-Level-Domain) which can be ALSO seen as a file extension, in this case .mov witch is a MPEG-4 Apple Quick Time file format!
Yeah, that's also dumb. All so they can troll Apple apparently
FYI, .mov is _any_ QuickTime movie, regardless of codec used. .mov is a container format that doesn’t tell you anything about the contents within.
6:14 Fun fact, Discord actually hides credentials in URLs, so people would be less likely to get tricked!
Good to know
Itll probably take Google months to make a Chrome/Gmail update that does that.
@@ThioJoe It might be good to know, if I understood what it meant!
@@hadassahsoddsandends somthing private information
@@hadassahsoddsandends "Credentials" is just a way of saying username and password, essentially: the stuff you need to log in to a website.
In a couple of months google will announce that Chrome will block zip domains by default to protect users.
They’ll spin it that they are the only company that cares about this issue and if you want protection you must use Chrome.
Ah.. yes... From the 1.56 Trillion Dollar company. Keep it up Google 👍🏻
Lol
Literally google fail moment💀💀
How STUPID can they be??!!
indian power, so remarkable woooow
@@goodgoyim9459 what?! 😅
Why is every company destroying themselves rn?
I knew it! Google being run by Aliens
@@justsomeguywithoutamustang6436 i thought it was just indians?
Haven't you seen the google graveyard? Google is a failure, they got the low hanging fruit of search engine monopoly at a time with almost non existent alternatives and dominated through that same search engine. If Google were to start nowadays, nobody would know them.
One word sums up their self-destruction...greed! When profits are more important than the product or the workers, it is a sure sign of eventual collapse! The pursuit of constant growth is unsustainable!
@@goodgoyim9459 bros a bot
Sometimes I feel that big companies like Google make such mistakes deliberately to sell you some extra useless feature claiming they’re protecting you.
Google Chrome should implement -the same- a similar warning as firefox did, -when the domain you'd actually end up at doesn't require authentication in the url.-
it doesn't solve much
@@fss1704 Yeah hackers can just require authentication
@@tpkowastaken seems chrome removed support for that auth method in url years ago, and it just strips them out prior to navigating
So looks like that warning would have to be something else.
@@MasicoreLord no, it's worse, the behavior in Chrome hasn't changed, it's the same behavior IE removed over 15 years ago.
I just tested, give it a domain with username and password and it will visit the website and authenticate with username and passport and as every browser has done: does not show anything about that in the URL, just the domain/website
Why do you use a product made by the enterprise that's the root cause of the issue?
I noticed that Firefox would show a prompt saying your logging into a site, and with the true domain. This would probably stop most phishing attacks if it was implemented in other browsers.
well google owns firefox, so what do you think that says about concern for users/customeers
Google owns Firefox? Since when?
@@Atlessa
They dont, but Firefox is financed by google. (To avoid monopoly lawsuit)
@@Legendendear And Apple financed Microsoft at one time. (Or was it vice versa?🤔) Anyway, financing ≠ owning
@@Sid-69
Isnt that exactly what I said?
There should be a feature where when you hover over a link, it highlights any particularly suspicious characters such as the at symbol or suspicious Unicode characters or lookalike characters in red, to alert the user that it's likely a dangerous link.
I still can't believe how well you transitioned from tech pranks to being an actual tech channel.
I caught the @ right away. It reminded me of a link an acquaintance sent me years ago with a username and password built in. But yeah, the vast majority of people I know wouldn't think anything of it. If I didn't have that previous experience, I might not either.
7:00 You can't have underscores in domain names but dashes are certainly possible.
Ah i see, yea same idea
haha 7:00 and 7 likes
How did you spot that dam.. Please print screen this command and show it in ur next salary discussion u deserve a raise dude
Can you have dashes either? I think you mean hyphens
@@Sid-69
Difference? Aren't dashes and hyphens the exact same character?
Firefox apparently warns you if you try to go to a URL with an @ so that's nice
It didn't warn me just now. Firefox version 113.0.2.
@@eekee6034 It is for me, tested with the url in the pinned comment. 113.0.2 (64-bit)
i use latest firefox, didn't get any warning
Good to know that someone is savvy enough to alert us netizens on upcoming scams and corporate stupidity. Thanks for the heads up!
ThioJoe is the one scientist that warns everyone before the destruction.
Obviously no one hears him now until some big scam got played using this trick and then everyone becomes an expert 😂
“Your scientists were so preoccupied with whether they could, they didn't stop to think if they should.”
"Thio Oppenheimer"
Another thing I would like to point out is that there are also malicious "mov" domain names as well that google let you register So watch out for those as well
cheers
Yeah, I have always been very good at spotting suspicious urls but this may very well trip me up in future given that I pull from github and other codebases a lot! Google should just park this domain extension never to be used by anyone
I do really appreciate the time you take to make videos like this one, alerting us of potential dangerous situations. Thanks.
This is not a mistake. Google knows that scammers and malicious actors will pay for these domains, thus making them more money. It's always about money.
How does Google make money from domains?
Hint: Google is not selling domain names ...
@@memyshelfandeye318 .zip domains are currently being sold for 15 dollars/yr. This is because they just got released
@@memyshelfandeye318 Fine, we'll do it ourselves!!
@@memyshelfandeye318 no, when a company buys a TLD they buy the rights to sell domain names with that TLD ending. so this means Google bought rights to sell domain names that end in '.zip'.
@@humilulo also, the premium domains add an approximate minimum of 1million. Google makes a million in seconds.. so the real culprit here is probably to break the internet, and rush in digital ID for their WEF and govt agency masters.
The biggest issue is autolinking though. So if you send someone an attachment, and mention the name of the zip file in the email, and the receiver clicks that link instead of the actual attachment, they'll be directed to that site which may or may not be malicious.
yeah, I see how this feature can be used without the .zip bit. having a legit looking url with @example .[any available domain] is still a really good way to trick someone. Unless you're aware about the @ exploit you wont have a clue. Since firefox already has a warning for it someone probably tried something like that already.
with autolink just take a domain with a common filename like presentation, project etc. and load it up with a virus
NextDNS is actually free for the first 300,000 queries/month (When exceeding the free monthly quota, NextDNS will continue to answer DNS queries like a classic non-blocking DNS service)
The issue isn't really the .zip extension but rather that browsers still support that antiquated URL format in the first place.
I am really surprised nobody at google could convince Google not to do this. That they would think this was an acceptable thing to do is just really bad for security.
I absolutely agree with you.
I could see myself falling to that type of scan and I consider myself fairly aware of scams.
I definitely think you're right about this one. Even those of us on Linux could potentially have a problem with it. The only solution I offer is to manually type in the domain name of whatever website you want to visit and once you've navigated somewhere within that site bookmark it and only ever use the bookmark going forward.
That has been my practice for awhile now.
But how would you know the name of the exact url without first typing it in?
@@Sonario648 You wouldn't need to know the exact URL, just the domain name. As I said, navigate from there to where you need to be on a given site and bookmark that.
@@anon_y_mousse That barely fix half the problem
Thanks Joe, I'm already on facebook in my local community spreading this info. This is a really stupid move by google.
Google really dropped the "don't" from "Don't be evil."
I love your content over the years and this is a helpful video for lot of people . Thank you and keep more coming
This is pretty incredible, I was being safe about clicking links before but having to read the end of it every time is a bummer.
1:20
"Can you tell which one would download a .zip file with a virus in it?"
Me who already watched sytonic's video -
Appreciate your keeping us on top of this! Thank you very much Joe!
I would like to correct that this isnt that big of a deal, because you can make this with any domain and then redirect it to a malicious link
BRUH. Is Google trying to help scammers or what?
They didn't even bother fixing scammers in youtube comments, don't think this would be any different
Google is literally on Team Scam!
Google is paid directly by scammers.... why do we see bad ads, spam ,and other shady **** on google's platforms?
That's why.....
And that's why I block ads due to this... Google ain't going to give up that Scammer money especially after they lost all that ad revenue in the ADpocalipse.... and other incedents afterward...
Also hour or multi-hour long ads... that's just a joke... If I wanted to watch a Infomercial.... I'd stay up late at night to see em...
Sorry... Rant.
They already don't do anything about scammers buying Google Search ads for popular software like OBS, so at this point I'd be legitimately surprised if they weren't actively trying to help them.
I am starting to believe that Google's CEO is the world's best scammer.
This does seem like a bad idea, but what you didn't cover is why Google thinks it's a good idea in the first place. One would think they would have considered the downside to having this but the advantages outweigh the disadvantages. Could you make an update to your post that looks at this?
About the people saying it's no big deal because coming up with lookalike domains can already be done: that does not mean we should be giving bad actors an extra tool!
Google: there are already many ways...
Incredibly dumb argument.
I have a feeling there's a catch. Even if it's benign, no one would want to click on it, so therefore, who would want to register it?
ThioJoe has been quietly becoming one of the most helpful CZcamsrs.
Wow...this is insane. Thanks for the heads-up!
No I'm thankful that you take the time to make these videos for us. I believe if your worried about security you have to be aware of the smallest details. Thank you and be safe .
That's why google don't fight scammers, it loves them.
Damn! this was worse than I initially thought! Thanks for educating and explaining the mitigations :)
It doesn't stop the stupidity of forcing everyone to use the absolutely terrible Google Authenticator if you want to keep your account with them safe.
Yes, this is a big problem. Thank you for the video !
Google is evolving backwards
This is gonna make not falling for those emails even harder, and help spawn more Scam Channels.
Shout out to LTT.
And it's another video for my "Don't Be Evil" playlist... this one is, just terrible.
All this time .. _years_ lol .. I thought facebookmail *_WAS_* a spam/phishing domain.
The more you know! 🌠 Thanks Thio!
Also .. yes .. this new TLD is ridiculously dumb and dangerous.
What shocks me about this is that it's so obviously stupid, even to laymen, and yet this giant company with tons of expertise decides they're going to do it. Why? What value could this possibly serve?
Thanks for videos like this... there is too many scammers out there - its good to know how to recognize them
Ofcourse, google enabling hackers!!!
Android 13 limiting access without pc
And hackers already got a virus to this OS before Android 13 made it to at least half of devices, bravo
Everthing is sus when there is an "@" in your link and it's not an e-mail.
On that topic, that would be an interesting way to use this
"We already have a half dozen unlocked doors in this building. Hey! Great idea! Let's put another one in that wall over there!"
Ty for the update thio!!!
I love your channel, wish there were more hours in the day for us students that have to work.
Why does a for profit corporation even have the ability to register a new top level domain? Thats a better question.
probly the icann root servers and operations cost a lot, but its somewhat better to have that publicly funded than evil corp funding it, to keep links working and site data save., but owners of top level suffixes host own servers, to know if that is the real one, icann only needs to host the top, and that is probly not a lot of data, but that is the tlds, maybe ips are a lot more work to keep uptodata
They fired 12000 people, probably the seniors and good one.
In order to 'ID' ambiguous website names, URLs, etc, I copy the name and paste it in Notepad, as you mentioned.
How do we change the font in the Chrome and Edge address bars (omnibars)? It appears to be stuck at the ambiguous insecure Segoe UI, where upper case i looks like lower case L. I tried to change it to a secure font, Tahoma or Verdana, but the change does affect the address bar. The setting is in Settings/Appearance/Custom Fonts, but it doesn't affect the address bar fonts.
Fixing the font there would not solve the @ problem, but in Verdana the different foward slashes are distinct looking too.
Easy solution - don't use Chrome or Edge. Use a browser that actually cares about your security.
There is no reason why anybody should ever recommend Chrome to anybody else.
Thank you for this and just "Oh Dear!"😮😅
Never attribute to stupidity that which can be adequately explained by malice.
Bro I swear I like your videos you the best
Surely the point is, all those defenses of this new practice are just hand waving. How 'bout you just not do something stupid to begin with, Google?
Just because of the confusion this shouldn’t be a thing.
I blocked these last night but can't manage every employee's home firewall.
Just retype the domain in the browser and disable autodownload. Risk mitigated.
This is a nice solution I often use.
Not much use to a novice
Yeah, I don't think @Google thought this one through.
Been saying for over 25 years as an ICT prof. That hiding file extensions as a default was incredibly stupid. Making the end users dumber thanks to m$, apple and google...... practically criminal
To be clear though: 99.999% of all companies block zip in mail anyways. And some people will click anything really....
What if there was an extensions that prevented any URLs that have an @ sign? How many sites use these kind of URLs?
2:26, Simple browser fix, just don't treat anything with a protocol at the start as an email address, doesn't matter how many email addresses that break, they'll just have to get special exceptions made for them, or they just stay broken, either way the browser needs some sort of protection against the hack even if it means inconvenience for an unlucky few
It's not an email address, it's a username for a website.
@@cameron7374 That's still an email address in short form. Either way the URIs in question are neither and are supposed to be just normal URLs hence the need for the browser to have more robust checks anyways. I'll admit if I was still naive enough to think that there's no way a simple URL could be made to be interpreted differently by the vs the browser, I would probably have done just simple checks too, now a looped string compare instead of character compare is needed to protect against such attacks
Quad9 is one of the best, if not the best, free security DNS providers. Reviews and tests have shown they have the most comprehensive malware and phishing blocking available.
Yes, they have the best malware and phishing filtering and they're also Swiss-based non-profit. They have servers worldwide in more than 200 locations in 90 nations.
Thanks, the explanation was really thorough
Google: Understood. Instead of canceling ".zip," we will create the ".dll" TLD
The rationale of the truly myopic: "Hey, there's already problems, so what if we make one more?!!"
I would like to have a FONT when the similar unicode characters, and hiddens ones, etc are understanably different than the valid ones!... Anyone?
I'm not personally worried about this, but how do I explain this to my mother...
Many times, the URL is so large that you can't even see it fully in the bottom bar. We may just check the first few letters to somewhat verify the target.
Gosh, such a security nightmare this is.
So the top engineers in a top tech company can't figure it out 😕
@Jack, the engineers had nothing to do with that decision. Marketing all the way.
Good to see you using your status to protect others. Most suss thing I seen was dodgy github links.
Refund scammers be like
“write this down!!!”
yeah, the Sun Audio file caused so much confusion in Gopher for any Australian site back in the day.
Jfc they must have seen this coming? Yet they chose to go threw with this?
It's just crazy to me how google would do something this reckless. It's insane to me.
Commonly used file names shouldn’t be registered as top level domains. This is a problematic situation. Major red flag 🚩
Google isn't Google anymore. They see people as just money.
I think Microsoft like that too, Am I right?
@@MeroSany for real.. win11 spyware bloatware edition is f*ing BS with their force account
@@MeroSany yup
But isn't this better than the alternative, Thio?
Google could will be held accountable if they sell .zip to malicious personnels. If this Top Level Domain was launched by any other lesser known company (the alternative), they couldn't be held as accountable, right? Sorry if I'm being ignorant.
Google will sell domains like any other TLD owner - there's no other reason to own it apart from control. AFAIK no other TLD owner has ever been held responsible for registration of domains by "malicious personnels".
Is the company held accountable who sold the tools that the criminal used for malicious intent? I don't think so.
I wasn‘t aware of that risc, thank you very much.
Definitely forwarding this to my companies IT department!
Let me know if I am wrong a zip file needs to be extracted, so if you see this and the file does not have to be extracted this should set the alarm bells going off. The only reason I can come up with is they are trying to make all zip files suspicious.
There are way too many people on the internet that are dumb asf. They might not even notice at all.
They couldn't even make it a self-extracting zip either. Because even the AV baked into windows would instantly flag the file as malicious.