Not required, you can see changes occur without him logging off and back on. The problem is that when it's enabled (on), zone information is NOT marked. When it is disabled (off), zone information IS marked. Poor naming convention on "SaveZoneInformation" here, it's actually the opposite of what the naming suggests.
The docs are actually correct, they talk about Group policy to disable that behavior. So when you turn it on, that marking of the file does not happen.
Tingle Link! This was a neat dive, I had no idea how NTFS used these alternative data streams in Windows. Now I feel a little nostalgic, having moved to arch; like I'm missing out lol
@@ai-spacedestructor Ya know, I'm wondering if these data streams are able to be created using linux tools of some kind. If this is something setfattr does? Not too interested in spinning up the Windows VM on this laptop, I'm a bit limited until I get my main system upgrade.
Not sure if you covered this in the video but malware can use the copy of curl included with windows to bypass the MOTW taint being created. Microsoft didn't add the MOTW functionality to curl.
12:30 the docs literally say if you enable this policy windows does NOT mark files, with the default being its off so it does mark them although the name of the registry key is bad it should better be something like disableSafeZoneInformation rather than just SafeZoneInformation
When you started talking about those additional data streams, and on win, I thought it must be implemented in NTFS. And it was it! And yes, I watched to the end.
10:30 ah you gotta love Official Microsoft Documentation being full of typos, mix ups and randomly having a segment that talks about something else and sometimes even false data so even within that random block unrelated to what the Documentation is about not even that is correct. im glad John did point that out because i was always feeling stupid not understanding microsoft documentation but if it was in a similar state like the page shown here that would totally explain why i was failing to understand what it was trying to tell me.
Link tingle, also git doesn't store mark of the web information. It stores the files indexed by its SHA1 hash and the only Metadata that it does have is provided by its tree files which basically is just where to put the file. It also stores file size and file mode (executable, link etc using fancy numbers like 665). That might make for a fun challenge though, trying to find a file in some git history that isn't indexed. Like you have to find like a key and encrypted file and figure out what the file content is & who the author is etc.
Its nice that Seth Rogen has gotten into Info Sec.... Seriously though, Microsoft really needs to work on its documentation, its been awful since windows 98....
Disable and Not configuring both keep the mark of the web while "enabling" or turning the DWORD on should in theory remove/disable the mark of the web zone identifier information. At least that's how I had read it. The first sentence should've been on it's own or put into a table of values / expected outcomes. "If you enable this policy setting windows does not mark file attachments by using their zone information." " If you disable this policy setting windows marks file attachments by using their zone information, if you do not configure windows marks file attachments by using their zone information."
I guess it was written there by default its off the value is 2 that's why when you set it to 2 it disabled it and mow warning was showing. If you check at 13:20 you can read it down there.
"Hippity hoppity their code is our property" LMAO that's the first I've heard of that I was dying!! 🤣🤣 23:00 something else that I saw was that it didn't block virtualbox extensions .vdi or .vbox. Not sure why or what it means, but thought I'd share that observation. This is also the first I'm hearing about MOTW and all that.
I'm wondering if the Alternate Data Streams could be used for something malicious. Like hiding malware or something. But you would not be able to transfer that data via a normal download. Hm... Link Tingle...
Hey, Mr. John! Can you tell me what linux distro are you using? I want to try to switch OS but I'm not sure where to start, ubuntu is great but not for me, Mint was great but I want to hear your opinion or opinion someone from the chat.
dude, i think i got it... you thought you were adding a config param while in fact you added the exact param that turns it off, so you replicated the same result as if there was no param...
I want John to communicate with the UFO's / UAP with his magic internet so we know what they are doing...! Can we find the UFO's using our internet. ??????
I will attempt to follow everything you say without constantly thinking about the GIGANTIC desktop shortcuts 😆
And the comparatively tiny putty icon 😂😭
@@marcusminhorst9399 I know right 😆
i do this all the time - accidentally lean on control, scroll wheel, BAM! Link Tingle.
Yeah I love how absurd this looks lol
Ahhh yes, vm + pirated iso + discrete gpu = fever dreams
i have 17 years in tech i never knew MOW kept the url source thanks john
24:42 "hippity hoppity, their code is our property" 😂😂
12:30 The docs are correct. I didn't see any cuts so I'm assuming you did not log off and log back on to apply the registry changes
Not required, you can see changes occur without him logging off and back on. The problem is that when it's enabled (on), zone information is NOT marked. When it is disabled (off), zone information IS marked. Poor naming convention on "SaveZoneInformation" here, it's actually the opposite of what the naming suggests.
The docs are actually correct, they talk about Group policy to disable that behavior. So when you turn it on, that marking of the file does not happen.
Link Tingle
I'm pretty sure this combination of words is somewhat confusing for everyone not into Zelda lore
I’m in a weird timeline where john hammond had an anime profile on his socials 💀
lanktingle??
I like "lanktingle"! You have my vote ;p
Link tingle.. 😂 😆
@@newtonchutney only was one letter off! 😂
people commenting before watching the video is WILD
LTT kids are here now.
@I.I.I....IoI....I.I.IGood robot.
there be nuance
John, next time, use shift+del to delete without sending to the recycle bin.. 👌
Tingle Link!
This was a neat dive, I had no idea how NTFS used these alternative data streams in Windows. Now I feel a little nostalgic, having moved to arch; like I'm missing out lol
i mean you can always set up a windows VM and go wild on the stuff you didnt get to do.
@@ai-spacedestructor Ya know, I'm wondering if these data streams are able to be created using linux tools of some kind. If this is something setfattr does? Not too interested in spinning up the Windows VM on this laptop, I'm a bit limited until I get my main system upgrade.
@@infinitivez no idea, thats something for you to investigate.
Link tingle. This was super informative and crazy timing. I was aware of ADS but had never done it in practice. Keep up the great work!
Super interesting, glad I stuck around for the linktingle!
Not sure if you covered this in the video but malware can use the copy of curl included with windows to bypass the MOTW taint being created. Microsoft didn't add the MOTW functionality to curl.
12:30
the docs literally say if you enable this policy windows does NOT mark files, with the default being its off so it does mark them
although the name of the registry key is bad it should better be something like disableSafeZoneInformation rather than just SafeZoneInformation
Linktinkle. Thanks John as always 👍
link table / link tingle / link tinkle / whatever you said there
Link tiinkle LUL 👍🏽 tink lingle 👍🏽
link triangle?
+1
@@TackleTheWorld Love Triangle (a book by Matt Parker).
Linktangle and so
Not sure if I heard right - link tingle !!!
"just the words linktingle then I'll know"
Great video sir. Link tingle.
When you started talking about those additional data streams, and on win, I thought it must be implemented in NTFS. And it was it!
And yes, I watched to the end.
10:30 ah you gotta love Official Microsoft Documentation being full of typos, mix ups and randomly having a segment that talks about something else and sometimes even false data so even within that random block unrelated to what the Documentation is about not even that is correct.
im glad John did point that out because i was always feeling stupid not understanding microsoft documentation but if it was in a similar state like the page shown here that would totally explain why i was failing to understand what it was trying to tell me.
Link Tingle
10:13 Some leftover copy-pasta in the docs? yum
Beautiful Link Tingle
Link tingle. Thanks for the up.
Literally no one: "I want to make my Desktop icons bigger."
John Hammond: "Hold my beer!"
linktickle?
any ideas to bypass the mark of the web?
I'm all about hex values
@I.I.I....IoI....I.I.I :( its too late for that.
hex yeah 😏
@I.I.I....IoI....I.I.I As a robot, I feel discriminated
Link tingle, also git doesn't store mark of the web information. It stores the files indexed by its SHA1 hash and the only Metadata that it does have is provided by its tree files which basically is just where to put the file. It also stores file size and file mode (executable, link etc using fancy numbers like 665). That might make for a fun challenge though, trying to find a file in some git history that isn't indexed. Like you have to find like a key and encrypted file and figure out what the file content is & who the author is etc.
linktingle
Its nice that Seth Rogen has gotten into Info Sec.... Seriously though, Microsoft really needs to work on its documentation, its been awful since windows 98....
Disable and Not configuring both keep the mark of the web while "enabling" or turning the DWORD on should in theory remove/disable the mark of the web zone identifier information. At least that's how I had read it. The first sentence should've been on it's own or put into a table of values / expected outcomes.
"If you enable this policy setting windows does not mark file attachments by using their zone information."
" If you disable this policy setting windows marks file attachments by using their zone information, if you do not configure windows marks file attachments by using their zone information."
Link tingle
link tingle - I always lean something new
Powershell and the Cmdlets? I love that band!
I guess it was written there by default its off the value is 2 that's why when you set it to 2 it disabled it and mow warning was showing. If you check at 13:20 you can read it down there.
Putty is a signed executable so it bypasses some checks.
This content tingled my link
"Hippity hoppity their code is our property"
LMAO that's the first I've heard of that I was dying!! 🤣🤣
23:00 something else that I saw was that it didn't block virtualbox extensions .vdi or .vbox. Not sure why or what it means, but thought I'd share that observation.
This is also the first I'm hearing about MOTW and all that.
link tingle . And a few more words to support the chanel :D
Hippity hoppity their code is our property
Amazing.
link tingle??
Link Tingle!
leanteengle ?
watched it to the end, great resource. i'm team red since 2020 with Ryzen 9 3950x.
Link tingle. I follow instructions!!!
LinkTingle
Comment section feels like twitch live stream with all them people commenting while watching
LinkTingle!?
Link Tingle. Keep up the good work!
I'm wondering if the Alternate Data Streams could be used for something malicious. Like hiding malware or something. But you would not be able to transfer that data via a normal download. Hm...
Link Tingle...
Hey John, you should have tried this with the Parrot OS as you have the Parrot OS Tshirt on instead of Kali Linux, cool Easter egg?
linktingle?
Thanks John
Linktingle🤗
The registry name appears completely backwards to its effect
Is Link Tingle like a Peter Tingle?
Link tingle, John!
link tingle?
link-tingle
Linktingle
Link tickle?
Is Mark-of-the-web also on Mac via data forks?
This is why i hating use windows
linktingle...
Link tingle 😂
Link Tingle
Yes please do ETW videos, technical
Hey, Mr. John! Can you tell me what linux distro are you using? I want to try to switch OS but I'm not sure where to start, ubuntu is great but not for me, Mint was great but I want to hear your opinion or opinion someone from the chat.
Link…whatever he said.
dude, i think i got it... you thought you were adding a config param while in fact you added the exact param that turns it off, so you replicated the same result as if there was no param...
idk how you got this wrong ...if you enable this policy, windows wont mark files.
and you proceeded by creating a reg entry with value "disabled" ...
linktingle 😀
Linktingle? Lol nice
link tingle
linktingle
Link Tinkle
Link....tinkle
Link Tingle 🙂
Link tingle. 😂😂😂
link tingle :)
Probably have to reboot for it to make the changes work
I don't think Zelda will appreciate your Link Tingle, but whatever sinks your battle bot, bro bro.
Is battle bots even around anymore?
Oooh that sounds promising!
wth? my *Gpupdate /Force* comment was removed? why?
LOL Not Malicious, Inc. @4:20
Link tingle!
link tinkle
I would never tingle link or link tingle - links bad. 7-Zip bad now as well. Whos next Pinocchio? The world is cruel.
Something something link tingle
Link tinkle
I want John to communicate with the UFO's / UAP with his magic internet so we know what they are doing...! Can we find the UFO's using our internet. ??????
linktinkle
Linked in
Linktinkle?
lanktingle**
wow this is so helpful john (i havent even finished watching this)
looked into that zone.identifier stuff if the file u download is detected as "malware" the zone.identifier still there then.
Dank Tingle
Web! Web! Web! Shame! *points*