Blaze (he/him)Jul 21, 2023

lemmy.fmhy.ml is gone [update from the team]

https://sh.itjust.works/post/1484592

lemmy.fmhy.ml is gone [update from the team] - sh.itjust.works

An update: - fmhy.ml [http://fmhy.ml] is gone, due to the ongoing fiasco with mali government taking all their .ml domains back - As such, lemmy.fmhy.ml [http://lemmy.fmhy.ml] is also gone, we are currently exploring ways to refederate (or somehow restart federation entirely) without breaking anything substantial - We have backups, so don’t worry about data loss (you can view them on other instances anyway) Currently, we have fmhy.net [http://fmhy.net] and are exploring options to somehow migrate, thank you for your patience.

Show threadMonologue
glad to see them not go down the vlemmy path
Jul 21, 2023 at 8:44amWeb
Show threadBlaze (he/him)Jul 21, 2023
Yes, that’s reassuring. Also, nice to see their main website, I never actually noticed it existed
Show threadspadufJul 21, 2023
What happened to vlemmy?
Show threadGethJul 21, 2023
Nobody really knows for sure. I just sort of disappeared one day with no warning.
Show threadGorkJul 21, 2023
Is this going to be an unsolved mystery of the Internet? A spooky Fediverse legend?
Show threadJshKlsnJul 21, 2023

Damn, lemmy.zip, eh? If that instance is public, I don’t see that being a good thing.

Tons of businesses, people, etc, are all banning .zip and .mov TLDs for security purposes. I’ve personally banned all those domains from my network as well.

Bold move.

Show threadnodietJul 21, 2023
What’s the issue with those TLDs?
Show threadJshKlsnJul 21, 2023

trendmicro.com/…/future-exploitation-vector-file-…

Actually really huge security threats. It’s a very good idea to block them. I especially did because my girlfriend works for the government and does some secret stuff that can’t really get out, and she deals with a ton of real .zip files. I think everyone regardless of who they are should make sure to block them.

Future Exploitation Vector File Extensions as Top Level Domains

In this blog entry, we will examine the security risks related to file extension-related Top-Level Domains (TLDs) while also providing best practices and recommendations on how both individual users and organizations can protect themselves from these hazards.

Trend Micro
Show threadJoeyJoeJoeJrJul 21, 2023

See youtu.be/GCVJsz7EODA and youtu.be/V82lHNsSPww

There are a few problems, but I believe the biggest issue is that .zip and .mov are valid and common file extensions, and it’s common for people to write something like ‘example dot zip’ or ‘attachment dot mov’ in emails, tweets, etc. Things like email clients have features where they automatically convert text that looks like a web address into clickable links. So now, retroactively, all those emails etc suddenly have a link, where they used to just have text, and the domains that are equivalent to those previously benign file names are being purchased by nefarious actors to exploit people unaware of the issue.

Google Did Something REALLY Stupid - Protect Yourself!

YouTube
Show threadSerinusJul 21, 2023
Yeah, you have a point. I may go block those TLDs tonight.
Show threadCoderKatJul 21, 2023

But there’s only an issue if the software you’re using auto linkifies the domain. They often don’t and won’t. This seems like a hypothetical problem that probably doesn’t exist for most major software.

If you’re curious, you can see if whatever software you’re viewing this post in auto linkifies (neither are for me): hshshssu.zip iwuf8aowk.mov

Show threadJoeyJoeJoeJrJul 21, 2023

At 1:30 in that second video, he shows that YouTube already converts dot zip domains, even in old comments that predate the domain’s existence. At 3:19, he shows/mentions Twitter, Reddit, Facebook, and LinkedIn. I would consider those major platforms. And keep in mind, it only takes one person downloading one file to cause major damage - the LMG hack was due to someone downloading and trying to open a fake PDF that was sent via email: youtu.be/yGXaAWbzl5A.

So yes, not everything does or will auto convert the links, but I think you are underestimating the potential for issues here.

My Channel Was Deleted Last Night

YouTube
Show threadMonologueJul 21, 2023

i don’t doubt there have been a lot of cases of those tlds used for scams but i haven’t been negatively effected by this instances domain name.

feel free to read the discussion about it here though

Maybe hosting communities here isn't a good idea after all - Lemmy.zip

After all, don’t many platforms (or heck, browsers) render .zip URLs nonfunctional due to security concerns? Meaning our community.lemmy.zip links may not automatically hyperlink when we want them to, or it may trigger security risk popups. Whoops. Feel free to correct me.

Show threadJshKlsnJul 21, 2023
I can’t open that link because I block .zip domains lol