New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
my desktop has 32GB DDR5, laptop 64GB DDR5. still, i multitask a lot
Show me your taskbar. To drain 32GB of sweet DDR5 there should be a LOT of tabs with hentai.
Not that much. Only <200 tabs of Gelbooru and E-Hentai on Firefox is enough to put memory pressure on a 32 GiB laptop if you don't use a tab-unloading add-on.
Hello, @marix
Can you add the function SFTP (SSH File Transfer Protocol) to your app/program? I'm currently using Filezilla for this.
and would also be useful for ftp to be able to choose the folder if you create a host and it doesn't end up straight away in www or root
@forest can you help explain to me what this app is doing which is so dangerous, I can't understand it from the description and the posts. But thank you for your informative views as a security researcher it helps me learn. I've used a few SSH frontends like sshm or lazyssh - I assumed these were safe because they were basically just wrappers and not storing or transmitting any data, how is this so different, and are these other wrappers really safe to use?
The problem is that, although it uses proper SSH for the protocol itself, it also parses data from the server and the code is poorly-written, since it has zero eyes on it (it's all AI-written, so not even the author understands the code).
I don't know about those other wrappers, but whether or not they are safe depends on how much control the server has over the control flow within the wrapper. An example that used to be a serious issue (but is largely not a big deal anymore) is exploits through terminal control codes, where an SSH server could exploit an SSH client running under xterm.
So the security concern and threat model here is in the case that you could connect to a malicious server?
That's the main one I can think of, besides physical offline attacks against the poor KDF settings, but there could be other issues that I just haven't seen, like attacks from unauthenticated users on the network.
Note that there may be pre-auth vulnerabilities as well, so exploitation may be possible even if you have verified your server's host key and the attacker is on the network but has no control over your server.
and then..
dunno chief. hard to trust app that wants your ssh private key if they have these kind behavior as opposed to just using /usr/bin/ssh
a ssh client that rely on node / python package system is a redflag for me. as the app itself can be not malicious but someone else can push credential stealer on the package dependency.
better to adding these to the post.
pls read readme sftp are include on 1.0.0 version
I understand your concern, and this mostly comes down to threat models.
Marix does not attempt to replace /usr/bin/ssh for users who require a minimal, fully-audited TCB. If someone’s security model is “only trust the system SSH client”, then Marix is not the right tool — and that’s explicitly acceptable.
Regarding VirusTotal behavior: Electron/Node applications will naturally exhibit filesystem, process, and network activity. Those reports do not indicate credential exfiltration, nor does Marix transmit private keys or secrets off-device. All SSH operations ultimately rely on the system SSH binary.
Supply-chain risk in package ecosystems is real, which is why Marix is open source, dependency-pinned, and does not load remote code at runtime. This is the same trust trade-off made by widely-used tools like VS Code and GitHub Desktop.
If your threat model requires zero third-party dependencies, then sticking with /usr/bin/ssh is absolutely the correct choice.
It's almost like he didn't even read:
@ScreenReader On another note, I just saw your signature about Anna's Archive. I had no idea they allowed volunteering through torrent seeding. That will fit perfectly in the niche of low-RAM, high-bandwidth VPSes I have. The ones with plenty of RAM are already running Hyphanet (a distributed data store which, having been written in the early 2000s, is written entirely in Java), but there are some with 10-100 GB of wasted storage and not enough RAM (or vCPUs) to run Hyphanet.
I'll set up rtorrent on a dozen or so of my servers and start seeding! Thanks for making me aware of that!
And if you have any idlers with spare bandwidth, might I suggest you run some Tor middle relays?
IMO open source alone is not enough for a tool like these, what about you add the build system inside the github action itself to be more transparent, so whatever the build artifact is, people can see it's build history? can't have someone stuffing funny stuff inside like the https://tukaani.org/xz-backdoor/
hey thank you for the interest, i've been seeding anna's library for quite some time now but only book collections I'm interested in (like old fiction/magazine). more bandwidth are always welcome.
as for tor middle relays i'll try to host some. my VPS are mostly in APAC region and the bandwidth are usually spent in syncthing relays. as long as they can be bandwidth-limit i'm sure it's manageable
I'm using https://annas-archive.li/torrents which automatically picks out some mirror links for me to seed, rather than choosing individual torrents to archive. It looks like it automatically chooses the torrents that need seeding the most.
APAC regions are actually really valuable since they're rare! They don't get heavy usage since most of the network is concentrated in Europe, but they do get some. My Nigerian relay is currently pushing about 2 Mbps in each direction (despite being capable of handling 100 Mbps) whereas my Netherlands relays get over 150 Mbps in each direction, for example.
Bandwidth-limiting Tor relays is as simple as adding this to the torrc configuration file (an example for 4.5 TB):
In case it is helpful to anyone who wants to seed these as well, this is my current setup for rtorrent, optimized for security (MAC sandboxing, seccomp syscall filtering, systemd sandboxing, and privilege separation). It seems to work well so far.
Initial setup:
Systemd unit file (
/etc/systemd/system/rtorrent.service):AppArmor profile (
/etc/apparmor.d/usr.bin.rtorrent):rTorrent configuration file (
/etc/rtorrent.conf):Finishing up:
And now you have a secure, hands-free way to support Anna's Archive on your idlers!
Uh-oh, I think marix has been hacked by a human. This is clearly not an LLM generated reply....
I saw that and was filled with hope, but then I scrolled down one more post and saw "I understand your concern, and this mostly comes down to threat models." and rolled my eyes.
Couldn't you still get abuse reports for doing this? or are your idlers chosen from the ones that support tor relays and aren't like that
I'm sure you could get an abuse report in theory, but this is archival rather than straight-up distribution of ready-to-use data, so the chances would be extremely low. The only realistic way you'd get in trouble is if your host hates torrents in general and monitors their network for torrent activity (or looks on places like ipinfo.io to see if their IPs are found on DHT).
I'd say, if the host literally says "no P2P or torrent applications" then abide by that. Otherwise, don't really worry about DMCA, since the chances that you'll get a DMCA complaint are very low for something like an archival torrent.
Good point — I agree this matters.
At the moment, releases are already built via CI and tied to specific commits, and the artifacts are not built locally. What’s still missing is making the build workflow more visible and explicitly documented, which I’m updating now so anyone can trace how each binary is produced.
Thanks for raising the supply-chain angle — it’s a fair concern, especially after incidents like XZ.
A list of tags has no relevancy to supply chain issues and does not alleviate the previous concerns in any way.
I wouldn't be surprised if the CIA was able to get AI companies to use weakened security on purpose.
[1.0.13] - 2026-01-23
Added
Lazy Theme Loading: Terminal themes are now loaded on-demand from JSON files
themeService.ts,index.tsSFTP Drive Selector: Added drive/disk selection dropdown in local file browser
lsblkincluding NTFS, ext4, exFAT, USB drivesindex.ts,DualPaneSFTP.tsxLAN File Transfer Encryption: AES-256-GCM encryption for file transfers
LANFileTransferService.ts,LANFileTransferPage.tsxLAN File Transfer i18n: Full internationalization support
Fixed
RDP Connection Detection: Fixed "endless waiting" issue when connecting to Windows servers
gdi_init_exRDPManager.tsRDP Error Handling: Improved error messages for common RDP failures
RDPManager.tsRDP Session Cleanup: Fixed session not removing when xfreerdp window closes
App.tsxYou're correct that version tags alone do not address supply-chain security concerns.
The tags are provided to improve traceability and transparency for users, not as a claim of full supply-chain verification.
Given the scope of this project (desktop client, no auto-update, no privileged execution), we currently consider this an acceptable baseline. More advanced measures like reproducible builds and signed artifacts may be explored in the future.
I haven't even looked at it, but if you're doing some kind of kex (which you should be), then there's no need to use PBKDF2. Also, PBKDF2 sucks and has been supplanted by Argon2.
I think I'm in love , but still has some bugs that need to be fixed
Haha, thank you! ❤️
Definitely still some bugs to squash, but I’m working on improvements every release.
Your feedback is always welcome!