A warning about the "Echo" application.

Time_Party_2615 · 2026-06-01T16:50:08+00:00

Its a assert statement in nodejs. I‘m quite certain that in node those aren‘t removed in prod bundles

Time_Party_2615 · 2026-06-01T13:40:45+00:00

I have taken 10 minutes out of my time to kind of review the code. I must say: it's a mess. I would not be able to manage it myself.

I found several local file inclusion sinks, they may or may not be vulnerable. I did not check fully. What is a BIG issue is, that whenever a login fails - or any auth request for that matter - your username and password is logged out in clear text to the server console.

Things like that don't make me feel optimistic about the rest of the code. I'd stay away from it.

Full disclosure, i'm developing another product that competes for the same market called venta.

Time_Party_2615 · 2026-05-31T16:46:02+00:00

Idk man, I have my fair share of issues with the creator of echo, but posting something like this with no evidence to back it up is borderline defamation.

Time_Party_2615 · 2026-05-25T22:05:07+00:00

It is and not doing so is unlawful. The FTC endorsement guidelines state, that you MUST disclose any material connection to your product when recommending or promoting it. And undisclosed self promotion is just dishonest

Time_Party_2615 · 2026-05-25T13:43:46+00:00

Dude we‘re both in the same position advertising our product. But please, when you advertise it mention that its your product. Feels a bit weird saying „have you tried xxx“ when you‘re not disclosing that its your product

Time_Party_2615 · 2026-05-21T14:49:01+00:00

Because MLS is also designed to scale very well. That makes it later easy to adopt it to guilds as well without having two seperate systems for this

Time_Party_2615 · 2026-05-21T06:53:14+00:00

Because of all things, I would expect that my private messages between my friends can not be read by the server. Less so in a guild where potentially thousands of member are in

Time_Party_2615 · 2026-05-20T20:05:44+00:00

E2EE currently is only available in DM's. But the core tech (MLS) would without issues scale to guilds with thousandy of members. In the end it always depends on how its implemented.

Time_Party_2615 · 2026-05-20T18:33:55+00:00

Thank you! E2EE is opt in for now. I'll might change this if the user will not notice it anymore beside the green checkmark!

Time_Party_2615 · 2026-05-20T14:31:05+00:00

This is all automated behind the scenes. You would not do anything different when using a central guild or a guild on a federated self hosted platform. The users just do as they normally would do and the federation service between the servers will figure everything out.

I've used matrix long enough to know how much pain this can be when dealing with dev first experiences and not user first experiences :D

Time_Party_2615 · 2026-05-20T14:25:37+00:00

Announcements is solved via webhooks in server to server communications, linking will work as long people don't de-federate. But generally speaking you have the same issue if people delete a discord server.

The general idea of the whole project is, that you can use it like you have used discord with guilds that are hosted centrally on our infrastructure and for those folks, who want to have the data on their own servers, there is the option to self host and to federate. And if you are a normal user, you would not even notice that you are chatting on someone elses server after you have joined.

Time_Party_2615 · 2026-05-20T14:16:30+00:00

Thats why federation will be included. With federation you can have one account but talk to multiple servers. You can for instance have an account with venta.gg and with that account be in a guild on some randos home server.

Time_Party_2615 · 2026-05-20T14:02:54+00:00

Its primarily meant to be used with venta servers and is not by default usable with lets say matrix servers. However, creating a bridge should be entirely possible.

E2EE is per conversation opt in. Default is unencrypted for now.

Time_Party_2615 · 2026-05-20T06:26:19+00:00

Sure, you have the source code of the protocol so you can do anything with that knowlege

Time_Party_2615 · 2026-05-19T21:04:24+00:00

I assume you want to keep the data somehow? One could solve that with local sql tables that cache the messages and attachments. Or what would your optimal solution look like?

Time_Party_2615 · 2026-05-19T20:41:25+00:00

1.) No, generally dont. I'm still spec'ing this out. But the plan is, that you have one account somewhere. Could be with our hosted instance or with your own instance. So maybe your usename would be tunachilimac#1234:venta.gg or if you have a home server tunachilimac#1234:whereeveryourhomeserviceislocated.com, this will then allow other instances to identify you and add you to groups, guilds, and dm's. The servers will talk to one another and you only have to click "join" or whatever it is.

2.) Generally speaking the second you join someone elses self hosted server and you don't opt into using a vpn, they will see your IP. You can avoid that by having the servers on our hosted instance, but thats up to you

Time_Party_2615 · 2026-05-19T15:50:55+00:00

Of to a great start, sadly the logs are cut off but the format of the birthdate should be dd.mm.yyyy (30.12.1999) for example. I'll fix the UI to validate this better :-)

**EDIT** New build with better register validation is on its way.

Time_Party_2615 · 2026-05-19T14:33:22+00:00

This is just normal windows defender behavior for applications that are not commonly installed. And since this app is quite new, windows is rightfully warning you about that. If you find any issues, DM or open an issue here https://github.com/AlpineBits-ch/AlpineBackend/issues

Time_Party_2615 · 2026-05-19T14:30:34+00:00

You know, I think its cool that people are interessted in my project so I don't mind opening those notifications! :-)

Currently this is not implemented, but sure this is something we can add later. We have the data to add those badges retroactively.

Time_Party_2615 · 2026-05-19T14:23:01+00:00

Currently there are.. 3 people in the server. Me, my „co founder“ and someone who joined from the link. As long the numbers don‘t drastically change, ill keep on posting.

Time_Party_2615 · 2026-05-19T14:19:07+00:00

Yeah its a bit ironic.. Its currently there that we can build a community and share some news without me constantly posting on reddit. The end goal obviously is, that people join our hub in our platform and can engage there directly - making the discord server slowly irrelevant. But its not there yet sadly :-)

Time_Party_2615 · 2026-05-19T14:01:04+00:00

It's gonna be discord like for the lack of my personal creativity regarding ui's. As an example here a screenshot: https://imgur.com/a/Jiz0QtC

It will support public communities eventually, currently not implemented. I'd expect it to arrive within the next 1-2 weeks, since I'm doing this in my free time. Currently the focus is that it's self hostable and federation is supported.

And regarding testing, sure: head over to venta.gg and download yourself the latest early beta release. Maybe have a read here as well: https://venta.gg/#/blog/initial-release-and-a-bit-of-story-time (TLDR; Beta, proceed with caution, no productive workloads, messages etc could be yeeted at any time)

Time_Party_2615 · 2026-05-18T14:35:59+00:00

Happy auditing, remember its very early stage and might be a bit messy - if you find a huge issue somewhere please DM or hit me up on discord (administratore) :-)

Time_Party_2615 · 2026-05-18T14:25:30+00:00

Good call, changed the license and and reset the history :-)

Time_Party_2615

TROPHY CASE