Hello and welcome to the Tuesday, March 4th, 2025 edition of the Sands Inundit Storm Center's Stormgast.

My name is Johannes Ulrich and today I'm recording from Baltimore, Maryland.

Well, and today we have a great diary by DDA showing some of the details of the mark of the web.

That's a feature that we have covered a few times already in the podcast,

usually because it didn't get properly propagated to different file formats,

depending on, for example, SIP file extraction software,

things like ISO images and the like,

where the mark of the web is lost in transfer. So the purpose where the mark of the web is lost in transfer.

So the purpose of the mark of the web is to indicate to the system that this file has been

downloaded from the internet, so the user can be presented with a warning if this file

is executable and the user is attempting to execute it.

On Windows, the mark of the web is implemented as an alternate data stream, which is supported

by the NTFS file system, but not all file systems, and with that not all archive utilities

do properly support alternate data streams,

which explains some of the limitations around the mark of the web implementation on Windows.

DDA also shows a little bit the details here.

So first of all, the mark of the web is essentially a little text file, like that alternate data stream,

and it includes, first of all,

zone information that indicates where the file came from.

So there are zones one through four that will then tell you.

Three, for example, would be this was downloaded from an external website.

In addition, you may find things like the URL.

...