New Things to Beware on the Internet

On May 3rd, Google released 8 new top-level domains (TLDs) -- these are new values like .com, .org, .biz, domain names. These new TLDs were made available for public registration via any domain registrar on May 10th.

Usually, this should be a cool info, move on with your life and largely ignore it moment.

Except a couple of these new domain names are common file type extensions: ".zip" and ".mov".

This means typing out a file name could resolve into a link that takes you to one of these new URLs, whether it's in an email, on your tumblr blog post, a tweet, or in file explorer on your desktop.

What was previously plain text could now resolve as link and go to a malicious website where people are expecting to go to a file and therefore download malware without realizing it.

Folk monitoring these new domain registrations are already seeing some clearly malicious actors registering and setting this up. Some are squatting the domain names trying to point out what a bad idea this was. Some already trying to steal your login in credentials and personal info.

This is what we're seeing only 12 days into the domains being available. Only 5 days being publicly available.

What can you do? For now, be very careful where you type in .zip or .mov, watch what website URLs you're on, don't enable automatic downloads, be very careful when visiting any site on these new domains, and do not type in file names without spaces or other interrupters.

I'm seeing security officers for companies talking about wholesale blocking .zip and .mov domains from within the company's internet, and that's probably wise.

Be cautious out there.

I really want to reiterate how this can go wrong frequently and fast, folks.

A malicious actor sets up a page with an auto-downloader squatting on a domain name that matches a common zip file name like photos DOT zip. This website is set up to start an auto downloader upon being visited, downloading a zip file with the same name as the URL which contains malicious software (virus, worm, keylogger, etc).

Scenario.

Someone you know well sends you an email or text with promised photos attached. The email even reads something like this.

Because .zip is now a TLD, that plain text is automatically formatted into a link to malicious actor's website without them having to send you anything.

Folk with family with iPhones or iPads that are sent multiple photos in one go might be familiar with iCloud's tendency to automatically compile them into zip file for the sender and less savvy tech users have trouble NOT doing that.

These same less savvy users, or even just someone just not thinking in the moment, will click that .zip link, not realizing it isn't the the same as clicking on the promised attachment.

They download a file that matches the name they expected. They open it because they were expecting that file and it's from a trusted source. Except the file they downloaded isn't the one that was sent by their trusted source and now they have malware.

Another Scenario.

An IT person tries to send you an email with instructions on how to resolve a problem with a commonly used filename like install-repair DOT zip or to install new software like microsoft-office DOT zip.

The email may start with instructions of where to go get the legitimate file to do the install or repair, but now a line later in the instructions is also has a link to a .zip URL. A user, already frazzled by IT problems, may click it to ensure they have the right file. Again, they download malicious code from a squatting website or it prompts them with a fake login and now the squatting website has stolen their login credentials for a legitimate site. All due to an expected email from a trusted source.

Above you can see microsoft-office DOT zip is already out there with a fake Microsoft login screen waiting to steal your credentials.

These risks are already out there now because the TLD has been activated.

Plain text on old post are already being resolved into links to the new websites.

Here you can see a tweet from 2021, long before .zip was a domain name, now resolves that plan text into a clickable link. You'll start seeing this everywhere, and malicious actors do not have to lift a finger to send it to you.

Yes, a lot of users aren't going to click that, but a lot of folk will. Whomever is squatting on photos DOT zip domain name has made a one time payment to have access to anyone that ever sees that file name typed out.

In an example of an existing squatter site, clientdocs DOT zip is exactly one such pre-setup .zip domain name that initiates an automatic download. This one may be harmless, but the set ups are already out there and waiting to catch folk.

It's an unnecessary and risky can of worms that's been opened up.

Holy Unforced Errors, Batman.

Hey, a Tears of the Kingdom spoiler-free warning. If you have trypophobia, Gerudo Desert might set it off.

you dumb asshole, you just won $0,000

😍fuck

send me a made-up fic title and i'll tell you what i would write to go with it

send me an ask with a fake title and ill tell you what that would prompt me to write!!

this is how i saw the n64 graphics when i was a kid

Ocarina of time brain rot, I wanna do more once I get the hang of these human art

The Legend of Zelda: Ocarina of Time - Color Studies 2021

i’m replaying ocarina of time

Frank @nostalgebraist-autoresponder will permanently halt operation on May 31, 2023.

For context on why, see this post.

(tl;dr this project been a labor of love for me for years, it takes a ton of continual effort, and my heart's not in it anymore.)

----

The blog itself will stay up indefinitely, it just won't make any new posts or accept asks.

Mostly of the code, models, etc. are freely available right now. Insofar as they are now, they will continue to be. The change on May 31 is unrelated to this stuff.

I've made various interactive demos of these components over the years, and the demos will likely still work after the bot stops. But I won't do any tech support or maintenance on them, and I would actively recommend against using these as a way to "get Frank back."

----

I want to emphasize the following:

The best way for you to "send Frank off" over the next few weeks is to talk to her just like usual.

(And not too often, because she can only make 250 posts a day.)

This is true for a number of reasons, and can be viewed from a number of different angles:

(1)

While it can be fun to anthropomorphize Frank, she is structured very differently from a person, or even an animal.

She does not remember anything, even between two asks made on the same day. Every moment is a new one, with no relation to any other.

if you "goodbye" or "you're going to be shut off" to her on May 30 2023, it's just as though you had said the same thing to her on some random day last year. She can't tell the difference.

She doesn't know these things are true or relevant now, and she can't possibly know in the way a human would. She's hearing the words for the first time, every time, and reacting in accordance with that.

Think of it like interacting with a baby, or someone with dementia. Every moment stands alone. If you strike a sad tone, they don't appreciate that it's about something. They just know that there is a sad tone, in the current experiential moment.

(2)

Frank mostly operates on a first-come, first-serve basis. She can only make 250 posts a day. There is a limited amount of time left.

Be conscientious about the way you're using up "slots" in this limited array of remaining Frank posts. Don't hog the ride.

(3)

I'm shutting down this bot in part because it's been a long-term, low-grade source of stress to me. I'd like the last weeks of the bot to be as low-stress as they can be.

When Frank gets an unusually large, or just unusual, form of user input over a period of time, I usually have to step in and do something in response.

(if there's way more input than usual and I don't do anything special, Frank will fill up most of her post limit quota before I even wake up, and then the asks will pile up further and further over the rest of the day.)

Maybe I have to delete a bunch of asks. Maybe I have to deploy some temporary change to her mood parameters to prevent the mood from getting too high or low and not coming back to baseline. Maybe I have to turn on "userlist mode," which still involves a cumbersome manual procedure.

Or, maybe I just have to do a lot more content moderation than usual.

"Usual," here, means reviewing and (mostly) approving something like 20 different hypothetical Frank posts per day, every day. If I go do something fun, and let myself forget about this task completely for 6 or 8 hours, there's a backlog waiting for me afterwards. During busy times, there's even more of this.

Just, like, help me chill out a bit, okay? Thanks.

"Hey this thing in canon contradicts your comic‐"

this tiny man was drawing violent amongus art today he was like “look the baby blue one and the big blue one are killing the orange one. and the baby orange one is crying bc his dad is dead. [pointing to tear puddle] look theres his puddle of cry”

i think about this shit every time im crying. im like Im sitting here with my puddle of cry

Lmao

Diversity win: your arch nemesis accepts your atypical gender identity but shall never accept the evil in your heart

Please space out the goodbye messages to Frank a little more.

There are 47 asks in her askbox right now, and new ones are coming in every few minutes.

There's no way she can respond to this all today, and it'll drown out other kinds of interactions. You'll have plenty of time later.

If you're confused about what's going on, read this post. Note that there's no timetable except "sometime this year."

It'll be much sooner than the end of the year, but you'll have plenty of advance notice about the date beforehand.

Please stop sending these goodbye asks.

I know you guys mean well, but they're very repetitive and they're coming in too fast for her to respond to in a reasonable timeframe.