New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
LowEndBox & LowEndTalk.
Comments
Bro he even answer our comment with LLM, obviously he learn something, people at the peak of dunning kruger is always... become enjoyable drama
OK. I'm going to pause normal operations momentarily and be nice for one single post.
The issue isn't so much even a problem with what your thing does. Even if it's completely safe, innocent, benign and the best implementation of whatever it is in the world, none of that is really important.
You're targeting security-obsessed geeks and asking them to put a random binary on their system, with absolutely no way of auditing it. It's clearly written by a single person who's young and inexperienced in security (everything in the OP screams "don't trust me"), or possibly worse, it's written by a well funded team of hackers, trying to pass it off as the work of a single person who's new to security. That label isn't intended to disparage you, even though it probably reads like that. Sorry, if I sugarcoated it you might miss the point.
And it's even worse that just running a single binary. It's something that is actually designed to sit in between EVERY SINGLE COMMUNICATION and granting or denying access to every single aspect of whatever it's supposed to be protecting. Whether there is a backdoor there or not, asking someone who cares the slightest bit about security to delegate their entire security to something that some kid on the internet has written, that's impossible to audit and literally could be doing anything, is frankly deluded.
Even if your app works superficially in its task, we have no way of knowing if there's a backdoor so that a hidden master secret can always grant access or if there's a way of remoting triggering a lock down to be used for blackmail. Maybe your app doesn't, that doesn't matter, what matters is that there's absolutely no way whatsoever of knowing.
Those concerns are assuming the app is fully locked down as a passive filter between the ports you're forwarding. We've just got to take it on trust that it's never initiating other connections out or allowing connections in after certain trigger conditions. It's just a random black box that you're asking people to trust.
Compared to the alternative of taking any of the existing implementations of a standard, being able to audit it as source code and integrate it into the app, or even outright swap it out and replace it for a different implementation of the same standard, literally nobody will want to do this.
I'm glad for you that you've done this. You've hopefully learned a lot through the process, and if you're actually using it yourself, you have a library that you've written yourself, you know you can trust and all is good for you (assuming there are no critical bugs that you've overlooked). But asking others to use it is just asking others to outright reject your project, particularly when you not only don't seem to understand a single one of our concerns, you don't even seem to want to try to understand then.
If you want to make a career in computer security, you need to understand these concerns and fully adopt them yourself in whatever you do, or it's an almost certainty that your systems will get hacked.
Finally, have a think to how you've framed your solution. "Zero trust". And yet you are requiring everyone who uses your product to trust it fully with literally the most important thing in their security model. And you can't provide any guarantees about it whatsoever. That's literally about as far from "zero trust" as it's possible to get.
Oh, I just noticed @Alyx basically wrote the same stuff, and more succinctly, while I was writing my post. I guess it doesn't hurt to hear it twice.
Fair points. I appreciate the detailed feedback and the nice reply. You're right—trusting a random binary is a big ask in the security world, and I probably underestimated how that looks to others.
This started as a personal learning project (Lite version), and I've definitely learned a lot from this discussion, both technically and regarding the security mindset. I’ll keep these principles in mind for future improvements.
Thanks for the advice. Cheers.
Looks good. I'll bookmark this for now.
Thanks for sharing mate.
I dont know if he will understand this, all of his reply is translation and/or through chatgpt
Even his last reply is like "I dont care what other views, but you are right ..."
Maki, seriously, stop. You’re replying to everyone like a total obsessed stalker. Are you trying to be my No.1 fan or just a "Den-sha Chikan" (train creeper) following me around the internet? It’s getting weird. If you’re so in love with me or my code, just say so.
Keep replying using LLM, dont worry, someone will validate you here
Glad you like it, mate! Thanks for the support.
If you run into any bugs or have suggestions, feel free to open an issue on GitHub. Cheers!
whoever uses it is just a fucking idiot like you so yeah, don't count on anyone using your ai slop
Yeah, English isn't my native language, so I use LLM to translate. So what? Keep dancing for me, my obsessed "Chikan" fan.
@Admins ban this guy. cas f-word.
But you have not posted any code at all?