swizzlestick
@swizzlestick@lemmy.zip
- Comment on Welcome to Lemmy.zip 1 day ago:
Really went all in on the application then, haha.
Welcome 🙂
- Comment on Welcome to Lemmy.zip 1 day ago:
Welcome! 👋
- Comment on Welcome to Lemmy.zip 2 days ago:
Welcome, welcome. Excellent snag of a 3char username.
Mosey around, make yourself at home. Donations can be made on Open Collective and Ko-Fi.
- Comment on Welcome to Lemmy.zip 2 days ago:
I can happily verify this (Mullvad). Without a VPN, I can’t even be here - so it is all good :D
- Comment on Welcome to Lemmy.zip 2 days ago:
Throw enough people at something, and one of them will fail. The more people, the higher the chance.
Perfect people in a perfect world would not need fire extinguishers, seatbelts, helmets, endpoint protection software, or TLD level blocks. You can try to train the problem out of people, but the threat still exists, mistakes can be made, and the next 0day might be just around the corner.
I’m not a fan of sorting people problems out with tech based solutions either - I see your point. The pragmatist in me will take that over dealing with the fallout of user error though.
- Comment on Welcome to Lemmy.zip 2 days ago:
And a TLD shouldn’t be so easy to mistake for one of the most recognisable filetypes ever, yet here we are. Well made apps discern between a zip file and a zip web address without issue. The problem, as usual, is in the human element:
- Register a zip domain called
holidayphotos2025.zip
,2025ProductData.zip
or whatever hook you’re going for. - Serve up whatever malicious garbage you like on it. Spoofed login pages, browser exploits, anything goes.
- Email it out from an already compromised account to all account contacts, removing the https component of the link text. Bonus points for imitating how an attachment would look in the target email client.
- Watch the clicks roll in as people try to open the ‘attachment’.
Having .zip in the string and in the link visible on hover could be all that is needed to ‘sell’ it to a user that makes a cursory glance before clicking - nevermind the ones that just click anyway. Plenty of folk have fallen for more obvious traps than that, so it’s a winner for a bad actor. Any trick that lends legitimacy to a scam increases the chance of success. Users savvy enough to check but not enough to spot the discrepancy may also have more data interesting to an attacker.
Blocking .zip TLDs wholesale at DNS level kills this even if the first and hardest hurdle (getting the user to click) is cleared. I’ll concede that it is an edge case in the grand scheme of things, but why leave the hole open when it is so easily plugged?
- Register a zip domain called
- Comment on Welcome to Lemmy.zip 3 days ago:
If I associated with skooma users, I’d probably order something like that too…
- Comment on Welcome to Lemmy.zip 3 days ago:
Welcome - bumping into a lot of ee folk and it’s great to see you all making new homes. Just a shame about the circumstances.
Sure they were a bit blunt, but some people just are. Bit cheeky of them to drop in from outside and chat shit in our home community though, agreed there 😅
- Comment on Google confirms more ads on your paid YouTube Premium Lite soon 3 days ago:
It’s better to name known safe options rather than leave it up to user search. The entities that work against extensions like uBO are already well aware of their existence, so hiding their names has no benefit.
Case in point - uBlock and uBlock Origin are not the same, with the former being a bastardised version that does ‘acceptable ads’. There are plenty of other poor blocking options out there for the unsuspecting to stumble into to besides that.
Personal setup is Librewolf/uBO on the client and pfBlockerNG/Snort for network level blocking/additional security layer.
And welcome to .zip :) Hope you enjoy the new home!
- Comment on Welcome to Lemmy.zip 3 days ago:
More folk still wandering in, love to see it. A shame about the circumstances though.
Hope you get on well here :)
- Comment on Welcome to Lemmy.zip 3 days ago:
It’s a genuine concern, if a bit overkill. On release, .zip domains were quickly seized upon by bad actors land grabbing anything they could roll into a phishing attack. If you’ve got folk on your network that may be prone to that, then blocking the TLD is an effective bludgeon to the problem.
Blocking is unlikely to cause issues for the Average Internet User, due to the lack of popularity in mainstream services that use .zip. There are always ways to make exceptions where needed - a restrictive policy with exceptions is more secure than a permissive policy with selective blocks, as it prevents new malicious .zip domains getting through. It’s a security cat and mouse game otherwise.
As for how they are here - I guess it’s through federation with .world, so they’re not accessing .zip directly.
I also block .zip domains, but at work rather than home. No complaints yet.
- Comment on Welcome to Lemmy.zip 4 days ago:
(and taking time to enjoy many of the application messages!)
I would love to see some of these - maybe as an ‘editors pick’ on the monthly updates. Attributed or anonymous depending on user preference if picked.
I am sure plenty of users have attempted comedy in that box, with some of them actually funny 🙃
- Comment on Welcome to Lemmy.zip 4 days ago:
Hex users unhappy about default blocks. Supporters of defed unhappy that it isn’t full defed. Admins probably not overjoyed to have to be dealing with it either way.
Nobody completely satisfied, so it’s a true compromise.
- Comment on Welcome to Lemmy.zip 4 days ago:
Let us all know if it becomes a struggle. I’m always happy to pitch in.
- Comment on Welcome to Lemmy.zip 4 days ago:
Hard no from me personally, same with anchovies. If forced to choose, pineapple is the lesser evil of the two.
But if I’m not eating it, it’s not my business really.
- Comment on Welcome to Lemmy.zip 4 days ago:
More the merrier* :)
*As many as we can handle, at least!
- Comment on Welcome to Lemmy.zip 4 days ago:
Welcome - I am immediately jealous of your handle 😅
- Comment on Welcome to Lemmy.zip 4 days ago:
For all the newcomers, Demigodrick & co do a fantastic job of looking after us all in our little corner.
For UK users, you may be better off at feddit.uk though. This instance has opted to geoblock UK (on browsers at least - apps and instance federation currently unaffected) due to the requirements of the OSA. Worth a mention.
I keep an alt on feddit.uk but still use this as my main. Where allowed, it is good practice to keep an alt elsewhere and occasionally copy your community subscriptions over to it. Saves a lot of time and panic if a lemm.ee situation arises again.
Oh, and welcome!
- Comment on Cold Callers phoning during work hours and then not accepting your at work and can't spend 30 mins listening to their script. 2 weeks ago:
We have an automated sin bin extension that we transfer these calls to as soon as we ID them as crap. It’s usually shipping accounts, Chinese factories and forex these days.
It goes to a voicemail that politely tells them why they are there, to remove us from lists & to leave a message/email if they think we’ve mishandled them.
Repeat offenders have their numbers filtered to only ever go to that extension. We don’t get much trouble on the phone these days, and nobody has to waste their time with niceties when we do get unwanted calls.
Thinking about spinning up another that just repeatedly hurls abuse in Hindi for the scam energy calls, which all tend to have geographically similar origins.
- Comment on How do you document your Homelab? 3 weeks ago:
🧠 + a few slapdash notes in a password manager. It’s very organic, very human.
Occasionally leads to situations like this.
- Comment on LG TVs’ integrated ads get more personal with tech that analyzes viewer emotions 1 month ago:
At that point I would expect control of it, or at least for it to respect the configuration it is given. If neither are true, then it just doesn’t go online at all. If that’s part of the main function, then I find an alternative or live without it.
Nothing on the inside should be sending anything to the outside that can’t be inspected before it leaves, with the exception of stuff that is directly driven by a human (guests browsing, etc).
- Comment on LG TVs’ integrated ads get more personal with tech that analyzes viewer emotions 1 month ago:
This is the best way, really. Generally, you have much more control over what you plug into it.
A display shouldn’t have anything even approaching what can be called an ‘OS’ on it. Yet here we are.
- Comment on LG TVs’ integrated ads get more personal with tech that analyzes viewer emotions 1 month ago:
Sometimes even that’s not enough. I’ve had some questionable kit before that would just ignore the DNS settings fed to it if it thought they were no good, and fall back to something else preconfigured.
pfSense is a wonderful tool for situations like that. Anything intended for local use only here just doesn’t get outside at all. Handy for stuff like a fire stick that only needs to be calling up a local media library.
It can also mangle any DNS requests going out to a different server and redirect them to itself instead. You could do this without it with iptables/nftables on a generic Linux box, but pfSense makes it much friendlier.
There are other packages that can do the same, but physically all you need is one piece of hardware as a bouncer that manages connections between inside/outside.
- Comment on I can't believe it 1 month ago:
Nah - I just can’t address a question to the right user, you’re all good haha
- Comment on I can't believe it 1 month ago:
Was about to say, £s not pence :) 50s will also out you as a tourist, if nothing else does. Whereabouts are you planning to visit? Just London for the touristy stuff or going for more of an explore?
As mentioned above, electronic payments are now the norm here and have been for ages. Shouldn’t have any problems using a phone or contactless card to pay in most places. Chip/PIN covers most everything else & when you get prompted to insert the card as a security check after trying contactless.
Swipe & sign is possible last time I checked, but pretty much defunct with chip/PIN being readily available. Cash only places are rare and usually associated with food or drugs.
.zip isn’t blocking UK access via apps/api, but it is for browsers. I like VPNs and supporting my home instance, so here I am :)
- Comment on I can't believe it 1 month ago:
If you’re bringing cash, bring it in 20s and below. 50s aren’t used much at all as they arouse suspicion - many smaller places will flat out not accept them.
Hope you enjoy the trip :)
- Comment on Is there still an effort to move technical help threads from Redshit to here? 1 month ago:
Also good, thanks.
Not that there’s much to maintain, it’s a one-and-done thing. This would resolve the unsigned extension though :)
- Comment on Is there still an effort to move technical help threads from Redshit to here? 1 month ago:
Thanks for the hint on libredirect/redlib, that looks very serviceable.
- Comment on Is there still an effort to move technical help threads from Redshit to here? 1 month ago:
I’ve frankensteined a horrible unsigned extension that’s half bad human code and half AI garbage that autoredirects reddit links to their archive.org version.
Does the job, if a little slowly, without this little shit getting in the way:
- Comment on Site Updated to 0.19.11 1 month ago:
All happy my side.
Nice one :)