Do not expose anything without authentication.

And absolutely do not expose a folder with something like `python -m http.server -b 0.0.0.0 8080` if you have .git in it, someone will help themselves to it immediately.

If you are aware of this, funnel works fine and is not insecure.

Tailscale IMHO failing in educating people about this danger. They do mention in on the docs, but I think it should be a big red warning when you start it, because people clearly does not realise this.

I took a quick look a while ago and watching just part of the CT firehose, I found 35 .git folders in 30 minutes.

No idea if there was anything sensitive I just did a HEAD check against `.git/index` if I recall.

https://infosec.exchange/@gnyman/115571998182819369

On the topic of tamagotchi, if you happen to have a flipper zero there is emulator for it :-) my kid enjoyed it for while and it saved me a few bucks from having to buy one.

https://github.com/GMMan/flipperzero-tamagotch-p1

You can run it on tama-p1 on other platforms also but the flipper was very reminiscent of the original one.

It uses the pagefind project so it can be hosted on a static host, and I made a fork of pagefind which encrypts the indexes so you can host your private chats wherever and it will be encrypted at rest and decrypted client-side in the browser.

(You still have to trust the server as the html itself can be modified, but at least your data is encrypted at rest.)

One of the goals is to allow me to delete all my data from chatgpt and claude regularly while still having a private searchable history.

It's early but the basics work, and it can handle both chatgpt and claude (which is another benefit as I don't always remember where I had something).

https://github.com/gnyman/llm-history-search

although I run 140.6.0esr so maybe newer ones need a even higher one?

the code is on GH now https://github.com/gnyman/mapdraw , codeberg is on my todo

it's a static webpage, the source is available with right-click view source, I added a BSD2 licence header to it to make clear it's fine to take and do mostly whatever with

for this case project I think I would actually go back and say it's vibe coded, but I didn't want to just call it vibe coding because I did spend time going back and forth and directing the agent

https://simonwillison.net/2025/Oct/7/vibe-engineering/

I needed a way to share a link to a map, with drawings and the ability for the receiver to see their own location on the map.

Annotated screenshots solves the first but not the second.

Vibe engineered this, with many of the same ideas as OP.

Took an evening. Just in time apps for one specific use case is a thing.

And because it's so cheap to make and can be hosted cheaply with no backend, it can be given away for free.

https://nyman.re/mapdraw/#l=60.172108%2C24.941458&z=16&d=LU8...

To the author, I wish you best of luck with this but be aware (if you aren't) this will attract all kind of bad and malicious users who want nothing more than a "clean" IP to funnel their badness through.

serveo.net [2] tried it 8 years ago, but when I wanted to use it I at some point I found it was no longer working, as I remember the author said there was too much abuse for him to maintain it as a free service

I ended up self-hosting sish https://docs.ssi.sh instead.

Even the the ones where you have to register like cloudflare tunnels and ngrok are full of malware, which is not a risk to you as a user but means they are often blocked.

Also a little rant, tailscale has their own one also called funnel. It has the benefit of being end-to-end encrypted (in theory) but the downside that you are announcing your service to the world through the certificate transparency logs. So your little dev project will have bots hammering on it (and trying to take your .git folder) within seconds from you activating the funnel. So make sure your little project is ready for the internet with auth and has nothing sensitive at guessable paths.

[2] https://news.ycombinator.com/item?id=14842951

https://www.hackerfactor.com/blog/index.php?%2Farchives%2F10... (search his blog if you want more of his thoughts on it)

I don't have a know enough bout this but I've been reading his blog for other topics a while and he does seem to know a lot about photo authenticity.

Sorry for just offering speculation, hopefully you figure it out. Even if it was "only" a Reddit account, the feeling of not knowing how it happened and if other things are at risk must be horrible.

https://crxplorer.com/ might help you to inspect your extensions a bit deeper if you are interested and have the knowledge.

And finally, just a comment, passkeys/webauthn/fido keys would not protect against a session cookie theft. They only prevent the login stage from being phished.

According to this Krebs article https://krebsonsecurity.com/2024/12/why-phishers-love-new-tl... 13% of the xyz domains was related to phishing, not as bad as .top which ahd 30% but still bad.

If you have swap already it doesn't matter, but I've encountered enough thrashing that I now disable swap on almost all servers I work with.

It's rare but when it happens the server usually becomes completely unresponsive, so you have to hard reset it. I'd rather that the application trying to use too much memory is killed by the oom manager and I can ssh in and fix that.

[1] https://docs.redhat.com/en/documentation/red_hat_enterprise_...

I would add a link to the gitlab to the page also, clicking the LICENCE brings me to the source code but other than that there did not seem to be a link .

Out of curiosity, did you use LLM's to code this? My gut feeling tells me at minimum the readme was written by one, or maybe it's normal to use emojis everywhere :-) Also I am not meaning to judge it as good or bad, I'm just curious.

I think one thing that LLM's and coding agents enables, is creating these customised solution which solve a specific problem, in a specific way. Some might consider it wasteful. I bet many thinks your effort would have been better spent contributing to one of the existing ones instead of doing yet another tool, but I find fascinating that we can finally tell our computers what we need and the will do it.

If you hand-wrote everything, then apologies for the unrelated rant :-)

https://www.tomshardware.com/pc-components/hdds/seagate-spin...

(the title is also ~p~fun)

These joke pages have been around since http://ismycreditcardstolen.com/

And I even made my own version https://hasmypasswordbeenstolen.net/

The difference is that neither the original nor mine actually submits the secret to the server. I went to great lengths to avoid actually doing it, it's still a bad idea to send a password to my page but at least you can check the source and network traffic and see that it's only checked with JavaScript and a hash is checked against the HIPB password site.

This supposed joke site sends and processes the key on their backend. At least it looks like that, I have not tried with a real key.

There is a free tier but it only includes some patches. They have prices listed on the website for the paid tiers.

I have no experience with using them, but just sharing in case it's useful those who doesn't want to or can't throw away their old systems.