Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


FoxVM - (Custom Panel-Billing System) | $3/month | Dallas/Texas | Your own ISO | 24/7 Support - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

FoxVM - (Custom Panel-Billing System) | $3/month | Dallas/Texas | Your own ISO | 24/7 Support

2

Comments

  • @joepie91 said:

    You can think of me as a developer and auditor with his source code at the same time but thanks for your offer and we may consider that in the future.

    Hint: Here is a little snippet of the source code

  • joepie91joepie91 Member, Provider

    @MacPac said:

    @joepie91 said:

    You can think of me as a developer and auditor with his source code at the same time but thanks for your offer and we may consider that in the future.

    Hint: Here is a little snippet of the source code

    You're not using a templater with autoescaping enabled by default, and there's probably several XSS vulnerabilities in that snippet of code alone. And that's just one of the obvious categories of issues.

    I would strongly recommend refraining from making any claims about security, based on that code snippet.

  • @joepie91

    Thanks for hitting the trigger but how exactly are you going input your xss to be executed by the last snippet while this snippet takes the input

  • joepie91joepie91 Member, Provider
    edited September 2016

    @MacPac said:
    @joepie91

    Thanks for hitting the trigger but how exactly are you going input your xss to be executed by the last snippet while this snippet takes the input

    1. HTMLPurifier is completely the wrong thing to use here, that's for if you want to allow certain 'safe' formatting tags. You should be escaping instead, because < and > are completely valid characters in and of themselves.
    2. "Sanitizing" on input is exactly the wrong thing to do.

    Start here, and you should seriously hire either a competent developer or a competent auditor. This is not going to end well.

    EDIT: To be clear - after having a discussion about this on IRC, I have no expectations that these issues are going to be resolved correctly, or that there's a serious regard for security. Thus, I can only recommend to stay away from FoxVM - it's probably going to get owned sooner or later.

  • MacPacMacPac Member
    edited September 2016

    @joepie91
    Thanks for trashing up our first attempt and we are not going to be owned sooner or later and history will be proof the otherwise.

  • joepie91joepie91 Member, Provider
    edited September 2016

    @MacPac said:
    @joepie91
    Thanks for trashing up our first attempt and we are not going to be owned sooner or later and history will be proof the otherwise.

    I've given plenty of (free!) advice on how to approach security correctly. Choosing not to follow it, and stubbornly insisting that your current practices are fine, is entirely on you.

    And honestly, if you're going to mention me in a way that suggests that I've already tried and found it secure... then don't be surprised if I point out that that isn't the case.

    (But seriously, arrogance is the single fastest way to get owned.)

  • @joepie91

    You're probably right at some points, I have taken your plenty (free!) advice seriously and there is still a lot of work to be done.

  • MacPac said: there is still a lot of work to be done.

    So your panel is insecure right now?

  • @trvz

    The statement you quoted is clear, there is no such completely secure system even the standard WHMCS/SolusVM are always having security issues and I am clearly saying we are doing our best to improve our panel security/usability/functionality.

    Thank you!

  • JonchunJonchun Member, Provider
    edited September 2016

    @jarland said:

    Jonchun said: You'd have to be an absolute tool to consider "custom billing panel" and "custom control panel" as a selling point

    It means someone gave enough of a shit about their product to sit down and spend time on it instead of spin up the default, cookie cutter, one-click install, turnkey hosting business. If that upsets you badly enough to insult me, I'm disappointed.

    Please understand that I'm not insulting you personally. I'm pointing out that your thought process is flawed if you immediately equate a "custom panel" to "caring about your business". In reality, if you cared about your business, you should want to provide quality product.

    You can't argue that ONLY putting in time is the equivalent of providing quality. You still need to utilize the time spent efficiently in order to help achieve a quality product. A custom panel has the potential to help build a quality product, but not when it offers LESS than what's currently prevalent in the industry. Yes, a custom panel can be an indicator of caring about your business, but is not necessarily the logical equivalent.

    Take MXRoute: You care about your product. You put time and effort into making the service better. However you don't waste your time on a "custom panel" that has extremely limited features. Why? Because an affordable and professional alternative, cPanel, exists.

    Take FoxVM: @joepi91 gives plenty of advice on what should and shouldn't be done. Instead of accepting the criticism, the answer is basically "this is our first time its still a work in progress stop hating". To me, this does not indicate that they "care about the business." The panel is clearly not production ready, yet they're launching with it and trying to use it as a selling point.

    I'll put it bluntly. This entire advertisement was basically a bunch of screenshots of their "custom website". It doesn't look like anything that would take longer than a weekend to code, especially if you simply use a framework with some prewritten libraries for stuff like billing and support. It looks to me more like a cheap attempt at being unique and hoping it will attract customers than actually caring about the quality of product.

    My advice to OP: I would have taken this much more seriously (and maybe even ordered one to support you guys!) had you gona with a standard whmcs+solusvm or proxmox module combo so that standard functionality is available for clients, but then you also included screenshots of a custom panel in progress and demonstrated that you wanted to take your business the extra mile.

    Right now, your focus is clearly not on making the product better or more reliable, or even on customer experience.... but on trying to market a " custom panel" as the key selling point for your service. You have to admit that objectively speaking, choosing premade scripts/software would have provided your clients more value and more features. Every great piece of software has to start from the beginning, but that doesn't mean your customers should have to see what's essentially a pre-alpha.

    @jarland : Hopefully that clears up my stance for you.

    @macpac : Don't take my post the wrong way. Would be awesome to see you succeed. Let me know if you have any questions about why I'm not sold on FoxVM's success yet.

    This image sums it up pretty nicely

    Edit: Am on a computer now and cleaned up some of the text.

    Thanked by 1Infinity
  • @MacPac said:

    Would you please solve my problem, but not here dispute and unrealistic logic, if you have enough time.....

    The meaning of life lies in exploring the unknown forever...✅

  • @Jonchun: The main problem is that you sound so negative. You really should listen to your words.

    Jonchun said: A custom panel has the potential to help build a quality product, but not when it offers LESS than what's currently prevalent in the industry. Yes, a custom panel can be an indicator of caring about your business, but is not necessarily the logical equivalent.

    First of all, MacPac never made any claim about how their custom panel relates to other panels. Presumably, a panel in a earlier stage of development won't offer all of the features of a panel that has been in development for a much longer time. This goes without saying. And MacPac didn't claim otherwise.

    If one followed your reasoning, then one would never use a panel that offers less than whatever the "industry-standard panel" offers. But perhaps MacPac's panel does what they want/need a panel to do, or at least most of what they want/need a panel to do. In this case, why shouldn't they use it and continue to develop it (as needed)? (As always, security is a concern, but it's not as though you were demonstrating a security hole in their panel.)

    In my reading of MacPac's offer, I understood that they were excited about their panel and wanted to convey this excitement to the reader. One can simply look past this and consider the details of their offer, if one wants, but it's hard to see why this should incite such a negative reaction on your part.

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • @Jonchun: Just to add, if jarland's remark and not MacPac's panel was your target: jarland simply made a complimentary remark regarding MacPac's effort to develop a custom panel. He didn't recommend or endorse their particular panel (nor, I assume, could he have, because he isn't acquainted with it).

    Thanked by 1Jonchun

    "Linux will run happily with only 4 MB of RAM, including all of the bells and whistles such as the X Window System, Emacs, and so on." (M. Welsh & L. Kaufman, Running Linux, 2e, 1996, p. 32)

  • JonchunJonchun Member, Provider
    edited September 2016

    @angstrom said:
    First of all, MacPac never made any claim about how their custom panel relates to other panels. Presumably, a panel in a earlier stage of development won't offer all of the features of a panel that has been in development for a much longer time. This goes without saying. And MacPac didn't claim otherwise.

    It also goes without saying that a custom panel with less features is not a "feature" as advertised:

    Features
    Custom support center
    Custom billing system
    Custom control panel

    .

    If one followed your reasoning, then one would never use a panel that offers less than whatever the "industry-standard panel" offers.

    In such a cutthroat industry, why would you? Especially when the new panel is missing very basic functionality.

    In my reading of MacPac's offer, I understood that they were excited about their panel and wanted to convey this excitement to the reader. One can simply look past this and consider the details of their offer, if one wants, but it's hard to see why this should incite such a negative reaction on your part.

    I see it negatively because all evidence points towards
    1) a cheap attempt at trying to win clients with the words "custom". The only advantage of a custom panel is that you can add features that non custom panels don't have... This current iteration doesn't even come close to what non custom panels offer.
    2) cutting costs on a solusvm + whmcs license rather than wanting to provide a quality experience for their clients as demonstrated by an extremely early launch. (And without getting their stuff audited either)

    As for the efforts in making a panel... I certainly do applaud them. I definitely appreciate a startup that wants to be more than a cookiecutter host.

    However, it looks like you're missing the bigger picture. They should have waited until the panel was complete/on-par with industry expectations before launching, or they should have launched using standard tools and provided evidence that they are putting in the extra effort if they really wanted to launch sooner. Choosing to launch an underdeveloped product is simply negligence, and doesn't demonstrate to me much other than " they spent a weekend or two hooking up proxmox api with a UI," and doesn't exactly inspire confidence in the future of the business.

  • jarjar Provider
    edited September 2016

    @Jonchun This isn't playing to your strengths, and could undermine a few of your achievements. If people want to appreciate someone able to put forward this extra effort to create something unique, and the provider wants to do it, the only reason to shit on them over it from another provider's perspective is jealousy. There may be security concerns, but that's really not the focus of what you're talking about.

    I recommend taking a page from my playbook. Take a look at my replies to competing mail provider offers.

    Britney is innocent

  • LOL, I find all this entertaining, as I invested heavily on software. I could offer an all in one solution without macpac's custom coded panel, I have over $1000 of modulesgardens modules, I have an owned whmcs license, I have paid for solusvm over to run it entirely on that if wanted, and I also have paid for 1 year license of Zendesk. Over all, it's multi-thousands of dollars of money poured into trying to make people happy but #LET never fails to try to shit on business owners, regardless of what they try to do. Thanks all!

    • Need a fast & reliable KVM VPS? Try ServerHand today.
    • VPS & Dedicated Servers currently located in Dallas (TX, USA), Los Angeles (CA, USA), Miami (FL, USA) & Piscataway (NJ, USA)
  • It doesn't matter though.



    • Need a fast & reliable KVM VPS? Try ServerHand today.
    • VPS & Dedicated Servers currently located in Dallas (TX, USA), Los Angeles (CA, USA), Miami (FL, USA) & Piscataway (NJ, USA)
  • JonchunJonchun Member, Provider

    @Arcanum said:
    LOL, I find all this entertaining, as I invested heavily on software. I could offer an all in one solution without macpac's custom coded panel, I have over $1000 of modulesgardens modules, I have an owned whmcs license, I have paid for solusvm over to run it entirely on that if wanted, and I also have paid for 1 year license of Zendesk. Over all, it's multi-thousands of dollars of money poured into trying to make people happy but #LET never fails to try to shit on business owners, regardless of what they try to do. Thanks all!

    Awesome! You should use them! I highly recommend using a well-developed product(s) vs a weekend project. I think it's great to see a provider with potential in the market. I know you and MacPac must be excited to launch your custom offerings, but please don't kill your potential by launching with an incomplete product... Yes, it's a matter of principle, and I'm sure my $3 isn't going to mean much at the end of the day, but if you're willing to reconsider your approach, I can guarantee you I will sign up and give you a shot. It's your business, and your call. I gave my reasons for what raised red flags for me, and hopefully you take them into consideration.

    @jarland said:
    @Jonchun This isn't playing to your strengths, and could undermine a few of your achievements.

    I'm not sure why you're turning this in a personal attack against me. I've made my stance pretty clear and made some pretty solid points to back it up.

    If people want to appreciate someone able to put forward this extra effort to create something unique

    Again, let me re-iterate. I really do applaud the fact that they're trying to be different.

    the only reason to shit on them over it from another provider's perspective is jealousy.

    I'm speaking from a LET member's perspective? Even if I were speaking from another provider's perspective, wouldn't you say jealousy only really applies if the two businesses are in the same market/targeting the same clients?

    There may be security concerns, but that's really not the focus of what you're talking about.

    Their attitude towards security was pretty worrysome. I'm not sure if you missed it.

    I recommend taking a page from my playbook. Take a look at my replies to competing mail provider offers.

    I love your approach to competition, and I love that you're open about helping competitors. I share the same views, and thus am giving my take on what I believe would make their business better.

  • jarjar Provider

    Jonchun said: I'm not sure why you're turning this in a personal attack against me

    Just friendly advice. You're set on ignoring it, so by all means do :)

    Britney is innocent

  • JonchunJonchun Member, Provider

    @jarland said:

    Jonchun said: I'm not sure why you're turning this in a personal attack against me

    Just friendly advice. You're set on ignoring it, so by all means do :)

    I'm trying to figure out how I'm ignoring you though. So far your argument has consisted of:
    1)

    It means someone gave enough of a shit about their product to sit down and spend time on it instead of spin up the default, cookie cutter, one-click install, turnkey hosting business.

    I kindly gave solid reasons for why being unique doesn't make you useful, but you choose to ignore that fact.

    2)

    This isn't playing to your strengths, and could undermine a few of your achievements. I

    Apparently me pointing out some red flags somehow undermines my achievements or affects me as a person? I'm not really sure what you mean by this.

    3)

    The only reason to shit on them over it from another provider's perspective is jealousy.

    I've kindly explained that someone offering low budget VPS out of OVH is not even remotely close to the market(s) I've been dabbling in. Are you still going to accuse me of being jealous?

    4)

    There may be security concerns, but that's really not the focus of what you're talking about.

    I'll leave @joepie91's quote to sum that point up:

    Start here, and you should seriously hire either a competent developer or a competent auditor. This is not going to end well.

    EDIT: To be clear - after having a discussion about this on IRC, I have no expectations that these issues are going to be resolved correctly, or that there's a serious regard for security. Thus, I can only recommend to stay away from FoxVM - it's probably going to get owned sooner or later.

    Normally, you come up with quality arguments and back your statements up. Quite frankly, it feels like this time around you're favoring a side without having any solid reasons to defend it with.

    It looks like you're taking this to be pretty black and white, and are ignoring the fact that I can appreciate someone's efforts, but still find their launch/business decisions questionable.

    @jarland: Looks like this is going to get out of hand if we continue, so feel free to PM me if you have anything to add!

    @Arcanum and @MacPac : I already spent some time writing this up, so it will be my last post in this thread. If either of you feel I'm randomly and baselessly attacking you, I encourage you to use the "Report" button and have the thread cleaned up. Hopefully you can see past the fact that it's not the super positive feedback you were hoping for, and accept that I've brought up some pretty solid points. I wish you both the best and am curious to see how this turns out.

  • jarjar Provider

    Jonchun said: Looks like this is going to get out of hand if we continue

    Nope, I already offered my advice. I mean no harm. I've said what I said and have no intention of changing my mind on what impresses me.

    Britney is innocent

  • joepie91joepie91 Member, Provider

    MacPac said: The statement you quoted is clear, there is no such completely secure system even the standard WHMCS/SolusVM are always having security issues and I am clearly saying we are doing our best to improve our panel security/usability/functionality.

    Neither WHMCS nor SolusVM are examples of software where security is a big priority. If those are the bar you're trying to meet, you're going to have a problem. I also don't really get why you keep bringing them up - this kind of "but they're doing it too!" doesn't make you look better, it just makes you look like "one of those who don't quite get security", alongside the WHMCS and SolusVM developers.

    "Nothing is perfectly secure" is a complete non-argument in 100% of cases. Yes, technically speaking it's true, but it holds absolutely no relevance to this thread - the security issues that you find in well-designed software are cases of oversight, and they are fixed as soon as they are reported.

    You, on the other hand, choose to trivialize the issues that are found, flat-out refuse to fix the habits and technical decisions that led to these issues existing in the first place, refuse to have your code audited or reviewed by a third party, and refuse to outsource the development of a critical piece of business software to an experienced developer, choosing to do it yourself instead.

    That isn't an oversight, it's negligence.

    Stop trying to make excuses and fix your fucking shit already. And I really do mean fixing it, not "patching the vulnerabilities". Hire a competent developer or auditor. Use a real templater. And so on. Fix the problem at the root, instead of sticking band-aids over everything, because that's simply not how security works.

  • joepie91joepie91 Member, Provider

    Just got pointed at this by somebody in #lowendtalk.

    That didn't take long...

  • @joepie91

    Its made by our CEO @ Arcanum since he is one that controls *.foxvm.com , I am not sure yet what he is trying to do and i wish him a better chance without me.
    it was pointed to another server by @Arcanum and its not a a hack.

    @Arcanum

    This wasn't funny at all, thanks for supporting all the effort i have done to help you.

    @jarland

    Thank you for all your support mate, I will continue working on my panels and release them as a open source software later.

  • @joepie91 @trvz @Jonchun and the other trolls, the image(trolololol) was directed at you after all.

    PROOF

  • qq7119qq7119 Member
    edited September 2016

    @MacPac said:

    Just want to know how you solve the customer's problem? You can not even maintain their own website,You are a joke~

    The meaning of life lies in exploring the unknown forever...✅

  • joepie91joepie91 Member, Provider
    edited September 2016

    It's a bit confusing to follow all the events for people who aren't also on the IRC channel, so here's an excerpt of my response to this on IRC:

    [13:47] <joepie91> t0xic: you need to do some serious self-reflection, mate.
    [13:48] <joepie91> same to Escable.
    [...]
    [13:49] <joepie91> t0xic: for some reason, neither Escable nor you seem to grasp the fact that "I've invested effort into it" is not something deserving of praise when you fail to correctly address the issues in what you've just built.
    [13:50] <joepie91> "effort" does not translate to sales, it does not translate to respect, it certainly does not translate to quality
    [13:50] <t0xic> i really don't need more trolling
    [13:50] <joepie91> this shitstorm is entirely of your own making, thanks to your horrible handling of the security concerns
    [13:50] <t0xic> thank you for understanding
    [13:50] <joepie91> so stop trying to blame others for that
    [13:51] <joepie91> t0xic: I'm not trolling. perhaps you'd walk away from this with more useful knowledge if you stopped trying to classify every bit of criticism as "trolling" just so have an excuse to ignore it.
    [13:51] <joepie91> just to*
    [13:51] <t0xic> its gone, i am not blaming anyone and move on please
    [...]
    [13:52] <joepie91> t0xic: note, what I said was directed at both you and Escable, not just you personally

    EDIT: Formatting.

    Thanked by 1Jonchun
  • Awmusic12635Awmusic12635 Member, Provider

    Well this has been.... interesting

    Subnet Labs, LLC Contact Us Deploy to: Seattle, Dallas or NYC
    Impact VPS | Cloud Servers | Storage Servers | Impact Shared | Shared Hosting

  • Um...WTF?

    Here lies Nekki. He loved massive amounts of storage, K-Pop and calling people cunts.

  • MacPacMacPac Member
    edited September 2016

    @jarland
    Sorry about what i am going to say or the language i am going to use next but i can't hold it and i must say it.

    @Jonchun
    You're the world most fucking asshole and you should ask @IThinkUFailed who is the guy behind correcting your shitty SSL settings on that whmcs and you didn't deserve my help and i have should have left you vuln to just know the value of guys like me and i wasn't going to post this until you seemed to be happy about the closing of this project and you're disgusting.

    Good luck but i am coming back with my own tld and going to the dedicated hosting market just to compete with you and kick the hell out of you.

This discussion has been closed.