Huh, this is interesting. There are many top-level domains these days; we're way past the days when the world consisted of .com, .edu, .org, and .gov. I hadn't realized that one of those TLDs is .zip.

Yeah, really. That seems like asking for trouble. People sometimes do legitimately download ZIP files from sites they trust, like GitHub. But maybe you're not really talking to GitHub...

This post does a good job of explaining how a stray @ in a URL might ruin your whole day:

Can you quickly tell which of the URLs below is legitimate and which one is a malicious phish that drops evil.exe?

https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip

https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip

[...] As you can see in the breakdown of a URL below, everything between the scheme https:// and the @ operator is treated as user info, and everything after the @ operator is immediately treated as a hostname. However modern browsers such as Chrome, Safari, and Edge don’t want users authenticating to websites accidentally with a single click, so they will ignore all the data in the user info section, and simply direct the user to the hostname portion of the URL.

For example, the URL https://google.com@bing.com, will actually take the user to bing.com.

I didn't know that part about user info. Combined with Unicode fakes of characters you expect in URLs, this can send you somewhere very different from where you thought you were going.

We all know not to trust links or attachments from unverified sources (right?). But stealth URLs add extra risk; you might eyeball the URL in that email and decide "yeah, I trust GitHub/Dreamwidth/Google/whatever". Be careful out there.

Edit for info provided in a comment (thanks!): Also .mov. This post does a good job of demonstrating how this can be exploited and catch even people who are careful.

I might just edit my hosts file to wholesale block these domains.

There is an old joke about a man who is talking with his doctor after having surgery on his hands. He asks the doctor, "will I be able to play the piano when I recover?". The doctor says yes, he'll make a full recovery. "Great," the man says, "I've always wanted to know how to play".

This morning I got email -- sent through the contact form on my personal web site -- from someone with "hacker" in the address (yeah, right):

We have hacked your website cellio.org and extracted your databases. This was due to the security holes you had in your your site/server which have gained us remote control of everything that was on the server.

Our team is mostly interested in customer, administrative, and employee information which we have extracted through your databases once we got remote control over the server. It still needs to be sorted out but it will be well-organized once finished. First, we will be going through the emails/sms information and contacting the recipient how you held in disregard about their information being exposed to a hacking group when you could have stopped it. This would be detrimental to your personal image with these relationships with these people. Lastly, now that we have information not only will we be monetizing off it with our methods but made public or sold to other people that will do whatever they wish with the information also after we are done.

Now you can put a stop to this by paying a $3000 fee (0.11 BTC) in bitcoin. You can find our address by visiting [redacted] where you can copy and paste the address or scan the QR code. We will be notified of payment which we will then delete the information we have obtained, patch the hole in the site/server which we got in and remove you from any future targeting in the future. You have 72 hours in doing so after viewing this message or the series of steps will commence. You can obtain bitcoin through such services such [...]

<snark>

Gosh, I'd sure like to have that database full of employee and customer information. Wow, I have employees and customers! And a database! Maybe as a show of good faith you could tell me some of the information you "extracted"? Or if that's too hard, let's start with: what kind of database did you say that was? Surely you can tell me that.

I'm also curious about why you took the inefficient route here. Your email to webmaster got filtered as spam; I happened to notice it but could easily have missed it. Since you have my database full of contact information, why didn't you contact me directly? Just a helpful tip for reaching your future "customers" -- take the direct path.

Oh, and since you've got remote control of my server anyway, could you upgrade to the latest Emacs? I've been meaning to do that. You do want a good review for customer service, right?

Finally, since your proposal includes commitments to future actions on your part, please provide a verifiable contact address in case I need to make a claim.

</snark>

The replacement phone arrived Wednesday (faster than they said, good). I'd already done a manual backup on top of the automatic one, but migration from one phone to another of the exact same type and OS version is easier: connect them via a cable and wait. Basic data transfer happened within an hour, though it took a few hours for apps to get installed and Chrome was being especially finicky for some reason.

My settings were almost all there; I expected to have to do more manual configuration (including re-laying out the icons where I wanted them). Nope, that was all fine. I had to set up each individual app again, though; sometimes that was just a matter of logging in (for example, Tusky or Authy), but sometimes it required redoing everything (email client for my non-Gmail accounts). Chrome had a weird bug where tabs didn't work (!) but the update ("new version available", it kept saying) would hang; after a few reboots it sorted itself out.

There was a feeling of trepidation as I kept asking myself "are you sure you have everything you need?" before doing the factory reset on the old phone, but I finally did that today. It started doing the flashing-display thing during the reset, so I just left it for a while. The documentation says a factory reset can take an hour, so after a couple hours I power-cycled to see where it was.

I was greeted by the "new phone" setup screen, so that worked.

And then it started flashing again. Ha.

Yes, support person, I was right: that's a hardware problem. After another power-cycle (so I could see what I was doing) I shut it down and boxed it up, and tomorrow I will take it to FedEx.

The replacement they sent me was marked as "refurbished", but they are holding the price of a new phone against my credit card, which feels wrong. It's only a problem if the package doesn't arrive in time (which is why I will hand it to a human at FedEx and get a proper receipt), but it's still sleazy. And yes, if they were to charge the card they would add shipping charges, so it's not to offset that.

I've never had to make a warranty claim on a phone before, so I don't know how my experience with Google compares to what I would have had with other vendors. It's something I should try to find out before I buy my next phone, which I hope will be several years from now.

I got my Pixel 5A in March of last year. So, fortunately, it is still in its warranty period.

This is the weirdest failure I have heard of. Yesterday, I took my phone out of my pocket, woke it up, and was greeted by a flashing screen. What it was flashing was a screen full of "snow", like what you get on a TV that's tuned to a station that's not broadcasting, but static -- the whole screen was flashing but the snow wasn't moving around. Hmm, very odd. As I tried to shut it down gracefully I could see that the "underlying" image was responding to me -- there were the usual buttons for "restart", "shut down", and whatever else -- but so fleeting that I couldn't catch them with my finger or read them. On to the hard reboot via the power button.

I Googled this but did not find answers.

I hoped it was a one-time glitch, but I wouldn't be writing this post if it were. Almost every time, but not every single time, since then, recovering from "sleep" mode gets me not the usual desktop but this flashing thing from which I can only hard-reboot. Rebooted about 20 times yesterday.

After the first reboot I had a new notification of a pending OS update, so I applied that. No change. I uninstalled the app I most recently installed, which should have been safe but it's basic troubleshooting. No change. I had, I think on Friday, gotten a batch of miscellaneous app updates, but I don't see a way to review exactly what now. But also, it wasn't right before this behavior. None of that was; that app (from my bank) was sometime last week.

Off to chat support I went. The agent I spoke with told me both that it's a software problem and that I would need to take it to their designated repair place for a hardware repair (for which you must first do a system reset); I asked her to reconcile those two things but she didn't. I pushed back on the repair place, noting that earlier in the warranty period I'd had a problem for which they said that was the solution, but the place couldn't help me and was kind of rude about it and it never got fixed. I asked if the software problem was something I could fix but her script didn't have any info about that. I said in that case, since it's under warranty, I want to exchange it, and I know they have a scheme where they send you the new phone (with a hold on your credit card), you migrate to it and send back the old one, and they release the hold. After I sent her a video of the behavior (an adventure of its own, as she was assuming I could do that from my phone and share it and I was like "uh, this is a video taken with my partner's iPhone and no it's not in my photo gallery and I need to upload or email it to you"), she collected some information from me and came back a few minutes later to say something like "good news, it's under warranty" (I knew that), and then gave me instructions for mailing back the phone and then they'd send me a new one, "or if you like, we could do" (exactly what I'd just asked for). Yeah that, I said.

Meanwhile, I installed Authy on my tablet lest the phone become completely unusable, because I wouldn't want to be locked out of anything that requires two-factor authentication. Today I noticed a seeming pattern where the phone would be fine so long as it was active, and if I set it on the desk next to me I could then wake it up but if I put it in my pocket we'd be back to the snow. This is, uh, the same pocket position I always use. But then the snow thing happened while I was using the phone, so apparently it's not that either. I am mystified.

It's going to be an aggravating several days, methinks.