i'm increasingly convinced nothing good ever comes from youtube tutorials
whatwhaaaaat•Feb 14, 2026
The recent openclaw videos are the best. “Ten openopenclaw skills that will change your life!” Ends up being useless YouTube metrics and a glorified egg drop.
NooneAtAll3•Feb 14, 2026
remember when we could downvote the bad ones?
tokyobreakfast•Feb 14, 2026
Does the 7-Zip author still refuse to digitally sign or even provide hashes of the official downloads? It's an extremely weird flex, he thinks it's a frivolous waste of time or something.
giancarlostoro•Feb 14, 2026
Do people even double check installers are digitally signed? There's so much open source stuff out there that is not digitally signed, most people might not even notice.
tokyobreakfast•Feb 14, 2026
Windows has displayed a big scary orange prompt for at least the last decade when it isn't. More like 15-20 years IIRC.
But I'm sure people blindly click through the "Unknown author" prompt just as they would ignore a certificate error.
giancarlostoro•Feb 14, 2026
Like I said, theres a LOT of open source projects that show that prompt. Signing an MSI involves having a valid CA certificate, which AFAIK is not free, and goes beyond the budget of most projects.
tokyobreakfast•Feb 14, 2026
It's not free but it's not expensive either. Most well known Windows open source projects have them; e.g. PuTTY, Wireguard, VLC, Rufus, etc.
Maybe it's high time for a free-as-in-beer CA for non-profit open source developers funded by donations?
Edit: I was wrong.
Prices on code signing certificates have skyrocketed to in excess of $500/year, due in part to continuing meddling by the CA/B forum which increased the requirements of standard certs to be the same as EV certs, and requiring the key to be stored in a hardware token—which must now be re-issued yearly.
This makes it near impossible to provide free or affordable certificates to developers. Thanks CA/B forum, lots of help as usual.
JohnTHaller•Feb 14, 2026
We're up for renewal with PortableApps.com. The same one year non-EV code signing certificate with a USB token that was US$246 last year is now US$434 from GlobalSign. The lower prices you see some places are for 2+ years.
Note that the certificate itself is only for 1 year regardless of how long you buy one for and you need to go through the renewal process each year just without payment.
rustyhancock•Feb 14, 2026
Orange? It's a blue warning isn't it? Is this how one of us finds out he's colour blind?
tokyobreakfast•Feb 14, 2026
Blue when it has a valid signature.
Orange when it's missing or invalid.
fuzzy2•Feb 14, 2026
The UAC dialog for unsigned software has an orange or yellow accent. You could be talking about the SmartScreen dialog. There's yet another dialog for executable files downloaded from the internet, which I think has a red shield for unsigned software.
ozim•Feb 14, 2026
I use winget or homebrew, those tools do so for me and if something doesn't match they show an error.
jsheard•Feb 14, 2026
He's always been an odd one, for a long time he refused to enable even basic hardening features like ASLR and DEP because they made the executables slightly larger. He eventually relented on some of those, but last I heard the more advanced mitigations like HE-ASLR, CFG and GS were still disabled.
reddalo•Feb 14, 2026
I migrated from 7-Zip to NanaZip, a fork with modern Windows features that the original developer refuses to implement.
Whenever I see "modern Windows experience", it always turns to be worse than the original one.
deltastone•Feb 14, 2026
I would agree normally, but this one is a nice change and upgrade, actually.
dlcarrier•Feb 14, 2026
Well yeah, it says "modern" not "better".
Modern Windows and OS X and Android and iOS are all worse than the old ones.
margalabargala•Feb 14, 2026
I take your point, and usually you're right, but in this case "modern features" includes things like having an "extract" button show up when you right click an archive file in Explorer.
blibble•Feb 14, 2026
modern windows features?
I imagine an electron rewrite, with DirectX 12 and Copilot buttons everywhere
Already__Taken•Feb 14, 2026
No update for a year for something that opens weird files from the internet is a little scary, even just dependency changes. Not that 7-zip was ever any better at that.
TiredOfLife•Feb 14, 2026
Windows 11 has 7-zip support built in.
Dwedit•Feb 14, 2026
7zip.com has never been the official website of the project. It's been 7-zip.org
pibaker•Feb 14, 2026
How can the average 7zip user know which one it is?
Search results can be gamed by SEO, there were also cases of malware developers buying ads so links to the malware download show up above legitimate ones. Wikipedia works only for projects prominent enough to have a Wikipedia page.
What are the other mechanisms for finding out the official website of a software?
antisthenes•Feb 14, 2026
> How can the average 7zip user know which one it is?
I dunno, if you type "download 7zip" into Google, the top result is the official website.
Also, 7zip.com is nowhere on the first page, and the most common browsers show you explicitly it's a phishing website.
This is actually a pretty good case of the regular user being pretty safe from downloading malware.
sedatk•Feb 14, 2026
> I dunno, if you type "download 7zip" into Google, the top result is the official website.
Until someone puts an ad above it.
8organicbits•Feb 14, 2026
Sure, but the answer to "How can the average 7zip user know which one it is?" would then be "do a Google search and use uBlock Origin".
pixl97•Feb 14, 2026
How does the user know they are using the official uBlock Origin?
8organicbits•Feb 14, 2026
The Mozilla extension store doesn't have ads, so it's the top item. It has clear download counts and a "recommended" icon.
So the advice is to install it from the extension store.
pibaker•Feb 14, 2026
I feel I need to clarify my earlier comment. I was asking how can a user tell, in general, what is the legitimate website of a software, not just how to know what 7zip.com is malicious.
Are the search removals and phishing warnings reactive or proactive? Because if it is the former then we don't really know how many users are already affected before security researchers got notified and took action.
Also, 7zip is not the only software to be affected by similar domain squatting "attacks." If you search for PuTTY, the unofficial putty.org website will be very high on the list (top place when I googled "download putty.") While it is not serving malware, yet, the fact that the more legitimate sounding domain is not controlled by the original author does leave the door open for future attacks.
layer8•Feb 14, 2026
One way is to consult the same source(s) where the user learned about the software in the first place.
TiredOfLife•Feb 14, 2026
> Also, 7zip.com is nowhere on the first page
In incognito window, for me, it's 3rd result
n4bz0r•Feb 14, 2026
There is normally a wiki page for every popular program which normally contains an official site URL. That's how I remember where to actually get PuTTY. Wiki can potentially be abused if it's a lesser known software, but, in general, it's a good indicator of legitimacy.
throwaway198846•Feb 14, 2026
So wikipedia is now part of the supply chain (informally) which means there is another set of people who will try to hijack Wikipedia, as if we didn't had enough, just great.
jamespo•Feb 14, 2026
What's your solution? If you search google for 7-zip the official website is the first hit.
lyu07282•Feb 14, 2026
I was always impressed by how fast wikipedia editors revert that kind of stuff, so I think it's great advice actually!
n4bz0r•Feb 14, 2026
Not exactly news, wiki's been used for misinformation quite extensively from what I recall. You can't always be 100% sure with any online source of information, but at least you know there is an extensive community that'll notice if something's fishy rather sooner than later.
rtcode_io•Feb 14, 2026
1. Go to the wikipedia article on 7-Zip
2. Go the listed homepage
Markoff•Feb 14, 2026
open About in the app?
imglorp•Feb 14, 2026
Open source software will have a code repo with active development happening on it. That repo will usually link to official Web page and download places.
lukan•Feb 14, 2026
Not universal true. Open source just means that the code is avaiable, not that developement happens in the open. (But 7zip does have a github repo)
harladsinsteden•Feb 14, 2026
How would you ensure that the "average user" actually gets to the page he expects to get to?
There are risks in everything you do. If the average user doesn't know where the application he wants to download _actually_ comes from then maybe the average user shouldn't use the internet at all?
Seems this all comes down to the wrong domain (.org vs .com).
jsheard•Feb 14, 2026
The OP refers to 7zip.com, no dash. Those dashed domains directly resolve to the same Hetzner server, but the undashed one heads off into Cloudflare.
high_na_euv•Feb 14, 2026
It doesnt help that many services use a few domain names, bonus points if other ones look like from scam domain examples
throwaway150•Feb 14, 2026
I tested with the 3 major browsers and all 3 block it as "Suspected Phishing". So looks like the system is working as designed.
Lookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.
chalion•Feb 14, 2026
Weirdly, in Firefox 7zip.com is blocked but www.7zip.com isn't.
If you type '7zip' in the address bar and then press Ctrl+Enter to go to the address, you'll get owned, because that key-combo adds the www at the beginning.
jas39•Feb 14, 2026
I would not trust any sw from Russia. Could be a vector for the FSB. I'm sure they have thought about it.
jan_Sate•Feb 14, 2026
The same could be said for software from the US. Could be a vector of CIA. For average US citizens, it might even be safer to use Russian software because FSB can't come after them.
n4bz0r•Feb 14, 2026
Funny thing that it's exactly the same for Russian citizens - they'd rather use US government malware. Same goes for mail providers.
einpoklum•Feb 14, 2026
It is not a bad rule, to use online services / software where you know that the malicious owners are likely not after you nor in cahoots with the government where you live. Or you can take the Swiss option with stuff like ProtonVPN, Signal etc. :-)
ale42•Feb 14, 2026
Signal is not Swiss, though, although I'd like they to be ;-)
bloaf•Feb 14, 2026
I've started using winget to install my apps for exactly this reason. I can't keep track of every url for every piece of software.
ptx•Feb 14, 2026
Is that safe? Microsoft's policy [1] seems to say that anyone can publish an update to a package as long as it passes "an automated process" which checks that it's "not known to be malicious".
Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?
chalion•Feb 14, 2026
Maybe that's how they don't get banned by their hosting provider.
Once reports start coming in, they pretend to be a honest establishment.
kevincloudsec•Feb 14, 2026
The buried lede here is the business model. This isn't ransomware or data theft. The malware turns your PC into a residential proxy node and sells your IP address to third parties for fraud, scraping, and ad abuse. That's why it's designed to be invisible and why it persisted for so long. Traditional malware wants to disrupt or extract. Proxyware wants to coexist quietly.
Your machine runs a little slower, your bandwidth gets a little thinner, and someone halfway around the world is routing traffic through your home IP. It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.
MuffinFlavored•Feb 14, 2026
> Your machine runs a little slower, your bandwidth gets a little thinner, and someone halfway around the world is routing traffic through your home IP.
I wish in 2026 the default on new computers (Windows + Mac) was not only "inbound firewall on by default" but also outbound and users having to manually select what is allowed.
I know it is possible, it's just not the default and more of a "power user" thing at the moment. You have to know about it basically.
TomatoCo•Feb 14, 2026
As a power user I agree, but how do you avoid it being like the Vista UAC popups? Everyone expects software to auto update these days and it's easy enough to social engineer someone into accepting.
tempest_•Feb 14, 2026
Even if it was a default there is so many services reaching out the non-technical user would get assaulted with requests from services which they have no idea about. Eventually people will just click ok with out reading anything which puts you back at square one with annoying friction.
> It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.
Is it even possible for a prosumer home router like OPNsense or OpenWRT to detect this?
wowczarek•Feb 14, 2026
The .com site serving malware aside, it's how people even get to downloading this. PC builder [...], USB stick [...], YouTube tutorial for a new build [...] instructed to download. Makes me wonder, is this how "PC builders" build PCs, or was this a regular user person. Archive managers are such basic software that I'd think surely someone would keep a stash of (trusted) installer files for the basic tools to be installed in a new environment. At least that's what we used to do, like, 25 years ago. Or use choco, winget or whatever. Malware hygiene habits remain almost unchanged - don't click that link.
12 Comments
But I'm sure people blindly click through the "Unknown author" prompt just as they would ignore a certificate error.
Maybe it's high time for a free-as-in-beer CA for non-profit open source developers funded by donations?
Edit: I was wrong.
Prices on code signing certificates have skyrocketed to in excess of $500/year, due in part to continuing meddling by the CA/B forum which increased the requirements of standard certs to be the same as EV certs, and requiring the key to be stored in a hardware token—which must now be re-issued yearly.
This makes it near impossible to provide free or affordable certificates to developers. Thanks CA/B forum, lots of help as usual.
Note that the certificate itself is only for 1 year regardless of how long you buy one for and you need to go through the renewal process each year just without payment.
Orange when it's missing or invalid.
https://github.com/M2Team/NanaZip
Modern Windows and OS X and Android and iOS are all worse than the old ones.
I imagine an electron rewrite, with DirectX 12 and Copilot buttons everywhere
Search results can be gamed by SEO, there were also cases of malware developers buying ads so links to the malware download show up above legitimate ones. Wikipedia works only for projects prominent enough to have a Wikipedia page.
What are the other mechanisms for finding out the official website of a software?
I dunno, if you type "download 7zip" into Google, the top result is the official website.
Also, 7zip.com is nowhere on the first page, and the most common browsers show you explicitly it's a phishing website.
This is actually a pretty good case of the regular user being pretty safe from downloading malware.
Until someone puts an ad above it.
So the advice is to install it from the extension store.
Are the search removals and phishing warnings reactive or proactive? Because if it is the former then we don't really know how many users are already affected before security researchers got notified and took action.
Also, 7zip is not the only software to be affected by similar domain squatting "attacks." If you search for PuTTY, the unofficial putty.org website will be very high on the list (top place when I googled "download putty.") While it is not serving malware, yet, the fact that the more legitimate sounding domain is not controlled by the original author does leave the door open for future attacks.
In incognito window, for me, it's 3rd result
2. Go the listed homepage
There are risks in everything you do. If the average user doesn't know where the application he wants to download _actually_ comes from then maybe the average user shouldn't use the internet at all?
Lookalike websites serving malware have always existed. So this isn't exactly news. But the browsers are blocking them like they should.
[1] https://learn.microsoft.com/en-us/windows/package-manager/pa...
Did they change it because of the negative publicity (Reddit) and will probably change back soon to the malware links?
Your machine runs a little slower, your bandwidth gets a little thinner, and someone halfway around the world is routing traffic through your home IP. It's a fundamentally different threat model and most endpoint protection isn't looking for it because the behavioral signatures look like normal network activity.
I wish in 2026 the default on new computers (Windows + Mac) was not only "inbound firewall on by default" but also outbound and users having to manually select what is allowed.
I know it is possible, it's just not the default and more of a "power user" thing at the moment. You have to know about it basically.
https://github.com/tnodir/fort
Is it even possible for a prosumer home router like OPNsense or OpenWRT to detect this?
An article from 2018:
https://www.bleepingcomputer.com/news/security/fake-websites...
And uBlock Origin's "Badware" filter blocks it:
https://github.com/uBlockOrigin/uAssets/blob/master/filters/...