New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Bro he even answer our comment with LLM, obviously he learn something, people at the peak of dunning kruger is always... become enjoyable drama
OK. I'm going to pause normal operations momentarily and be nice for one single post.
The issue isn't so much even a problem with what your thing does. Even if it's completely safe, innocent, benign and the best implementation of whatever it is in the world, none of that is really important.
You're targeting security-obsessed geeks and asking them to put a random binary on their system, with absolutely no way of auditing it. It's clearly written by a single person who's young and inexperienced in security (everything in the OP screams "don't trust me"), or possibly worse, it's written by a well funded team of hackers, trying to pass it off as the work of a single person who's new to security. That label isn't intended to disparage you, even though it probably reads like that. Sorry, if I sugarcoated it you might miss the point.
And it's even worse that just running a single binary. It's something that is actually designed to sit in between EVERY SINGLE COMMUNICATION and granting or denying access to every single aspect of whatever it's supposed to be protecting. Whether there is a backdoor there or not, asking someone who cares the slightest bit about security to delegate their entire security to something that some kid on the internet has written, that's impossible to audit and literally could be doing anything, is frankly deluded.
Even if your app works superficially in its task, we have no way of knowing if there's a backdoor so that a hidden master secret can always grant access or if there's a way of remoting triggering a lock down to be used for blackmail. Maybe your app doesn't, that doesn't matter, what matters is that there's absolutely no way whatsoever of knowing.
Those concerns are assuming the app is fully locked down as a passive filter between the ports you're forwarding. We've just got to take it on trust that it's never initiating other connections out or allowing connections in after certain trigger conditions. It's just a random black box that you're asking people to trust.
Compared to the alternative of taking any of the existing implementations of a standard, being able to audit it as source code and integrate it into the app, or even outright swap it out and replace it for a different implementation of the same standard, literally nobody will want to do this.
I'm glad for you that you've done this. You've hopefully learned a lot through the process, and if you're actually using it yourself, you have a library that you've written yourself, you know you can trust and all is good for you (assuming there are no critical bugs that you've overlooked). But asking others to use it is just asking others to outright reject your project, particularly when you not only don't seem to understand a single one of our concerns, you don't even seem to want to try to understand then.
If you want to make a career in computer security, you need to understand these concerns and fully adopt them yourself in whatever you do, or it's an almost certainty that your systems will get hacked.
Finally, have a think to how you've framed your solution. "Zero trust". And yet you are requiring everyone who uses your product to trust it fully with literally the most important thing in their security model. And you can't provide any guarantees about it whatsoever. That's literally about as far from "zero trust" as it's possible to get.
Oh, I just noticed @Alyx basically wrote the same stuff, and more succinctly, while I was writing my post. I guess it doesn't hurt to hear it twice.
Fair points. I appreciate the detailed feedback and the nice reply. You're right—trusting a random binary is a big ask in the security world, and I probably underestimated how that looks to others.
This started as a personal learning project (Lite version), and I've definitely learned a lot from this discussion, both technically and regarding the security mindset. I’ll keep these principles in mind for future improvements.
Thanks for the advice. Cheers.
Looks good. I'll bookmark this for now.
Thanks for sharing mate.
I dont know if he will understand this, all of his reply is translation and/or through chatgpt
Even his last reply is like "I dont care what other views, but you are right ..."
Maki, seriously, stop. You’re replying to everyone like a total obsessed stalker. Are you trying to be my No.1 fan or just a "Den-sha Chikan" (train creeper) following me around the internet? It’s getting weird. If you’re so in love with me or my code, just say so. 🤡
Keep replying using LLM, dont worry, someone will validate you here
Glad you like it, mate! Thanks for the support.
If you run into any bugs or have suggestions, feel free to open an issue on GitHub. Cheers!
whoever uses it is just a fucking idiot like you so yeah, don't count on anyone using your ai slop
Yeah, English isn't my native language, so I use LLM to translate. So what? Keep dancing for me, my obsessed "Chikan" fan. 🤡
@Admins ban this guy. cas f-word.
But you have not posted any code at all?
Actually, I was referring to the code I shared in my previous project, SPFW. Hope that clears up the confusion!
Cheers.
What problem does this solve?
Why would I use this rather than something established like Nginx and Authelia?
Its Introduce new problem for you
lightweight.
It’s a free service—feel free to scan for viruses or suspicious activity. Use it if you like, or just move on if you don't. No one’s forcing you. 🌸
I don't like vibes of this thread.
Me too. Disappointing, honestly.
I don't like vibes of your release either
That’s fair. Not everyone has to like it. 🌸
Look, I say this with total respect for the effort you’re putting in: Please stop trying to "fix" or reinvent TOTP. I know you’re worried about the security flaws in current 2FA implementations, but the solution isn't a custom script or a better way to hide seeds. The solution already exists, and it’s called WebAuthn.
WebAuthn is cryptographically bound to the domain. If a user is on legit-site.com, their browser physically won't let them sign a challenge for legit-site-scam.com. The security is handled at the hardware/browser level, not the "hope the user is paying attention" level.
Managing a vault of TOTP seeds is a liability. You have to worry about encryption-at-rest, key rotation, and internal leaks. WebAuthn removes that entire category of "things that can keep you up at night." You’re essentially outsourcing the hardest part of security to the secure hardware already inside the user's phone or laptop (TPM/Secure Enclave).
Instead of writing custom logic to verify timestamps, drift, and one-time usage, you use a standard challenge-response API. It’s cleaner, it’s shorter, and it’s supported by every major browser. WebAuthn fixes every complaint you have about 2FA vulnerabilities because it moves the "secret" to a place where neither you nor the hackers can ever touch it.
suggest subject change to [RELEASE] Untrusted-Zero-Trust-Lite: Untrusted, Tiny & Secure Zero-Trust Gateway for your VPS
Congratulations. Due to the "wonderful" feedback here.
"When nothing is charged, nothing is owed." Goodbye. 🌸
Hallo everynyan,
Deleting stuff on the internet isn't how it works. This guy also doesn't know how to use git so that helps.
I have saved all the binaries and cloned the git repo. You can look at the old readme by looking at commit history.
https://pixeldrain.com/l/Rzv9xa4y
It still on main branch:
https://github.com/Usagi537233/Zero-Trust-Lite/tree/main
https://archive.ph/wip/wGxW9
https://github.com/Usagi537233/Zero-Trust-Lite/commit/236034b96d34ed271338c5cd2a53829816d88556
a few seconds later
https://github.com/Usagi537233/Zero-Trust-Lite/commit/78addcac3cd7791fbfa4c04bc1354a896f2b9dd2
Not tiny
“Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.”
― Antoine de Saint-Exupéry