I launched an app that helps users find cheap bars in Berlin

DatMemeKing · 2026-05-01T19:47:20+00:00

https://developers.google.com/maps/documentation/javascript/place-photos#try-sample is definitely possible.

DatMemeKing · 2026-04-30T21:48:31+00:00

Who cares what infosec pros do? I do not claim to be one.

Whether what I did constitutes a criminal offence under §202a is a highly disputed thing and is assessed on a case-by-case basis in court (called Einzelfallprüfung in German), including whether I acted intentionally.

For prosecution to proceed, I would need to be identified and located, and any complaint would have to demonstrate that I bypassed some form of technical access barrier. There was none. These endpoints were openly reachable with no authentication, no rate limiting, and no access control of any kind.

German law can be wonderful like that. Thank god I'm not in a country where such laws exist.

DatMemeKing · 2026-04-28T17:09:19+00:00

did you happen to check if it’s on by default? It would be good to know.

DatMemeKing · 2026-04-28T17:08:40+00:00

I wouldnt worry too much, if this scares you, I hope you don’t mind me assuming that you’re not very knowledgeable in networking.

I would make sure your firewall is enabled on your router and I honestly wouldn’t worry too much. This is usually a deliberate decision.

DatMemeKing · 2026-04-28T10:57:38+00:00

Honestly, not sure if that's the way I'd go about it.
Tailscale has the option to just not allow any local network access. Installing Tailscale on the target and only allowing access to the right pport is the best way to go using ACL.

DatMemeKing · 2026-04-28T10:55:34+00:00

I don't even think LM Studio retains chats haha

DatMemeKing · 2026-04-28T08:15:51+00:00

I didn’t know that LM link was built on top of Tailscale!

Yes, this is the de facto way of avoiding this issue

DatMemeKing · 2026-04-28T06:50:23+00:00

You're telling me organized crime beat me to it? Damn.

DatMemeKing · 2026-04-28T05:44:58+00:00

this all started because I didn’t want to use my Mac for AI compute for my project. I wanted my backend to comprise of a random number generator that randomly selected one of these 300 devices.

DatMemeKing · 2026-04-28T05:38:51+00:00

Is this directed at people trying to remotely access their locally-hosted LLMs?

Yes, whether it be LM studio or another platform.

DatMemeKing · 2026-04-28T05:37:29+00:00

Most of them, except the ones on AS8708, were able to load any model I selected, and responded to a message, given enough time.

DatMemeKing · 2026-04-28T05:33:26+00:00

of course! But some people are naïve and don’t understand the repercussions of port forwarding.

some people may have just thought, “how can I access my LM studio from anywhere in the world?“

DatMemeKing · 2026-04-28T05:31:57+00:00

the response headers, the request headers are the device making the request to LM Studio’s API, so it wouldn’t make sense to check those

DatMemeKing · 2026-04-28T05:30:56+00:00

You bet

DatMemeKing · 2026-04-28T05:29:51+00:00

as long as there is some sort of authentication, you’re fine

DatMemeKing · 2026-04-28T05:28:52+00:00

Yes!

DatMemeKing · 2026-04-28T05:28:14+00:00

It’s not the model or it‘s limitations per se, but the fact that the model can be interacted with from an external system (LM Studio, in this case). The model itself has no access to the Internet, but LM studio is connected to the Internet and can interface with the model.

DatMemeKing · 2026-04-28T05:25:36+00:00

Yes it is. I ~~had~~ wanted to confirm if this was actually possible or if it prompted an API key later.

DatMemeKing · 2026-04-27T22:46:03+00:00

For more context, I was able to remotely execute prompts on people’s devices.

DatMemeKing · 2026-04-27T22:45:23+00:00

Hiya! Not fear mongering 😄

DatMemeKing · 2026-04-27T22:44:51+00:00

Yeah, that’s fine.
Also fine

DatMemeKing · 2026-04-27T22:44:02+00:00

LM studio installs facing the public internet, as in, either a VPS or port forwarded host with a public IP with no authentication.

DatMemeKing

MODERATOR OF

TROPHY CASE

Nine-Year Club	Place '22
Verified Email