Back to home

Can you trust me?

A direct answer from Josh (odpay), founder of Zenith Hosting.

If you're thinking about hosting your ZenithProxy with me, there's one question worth asking up front: what's actually stopping me from reading your coordinates off the server?

Technically, nothing. That's true of every hosting provider you've ever used. Any hosting operator technically can spy on their customers. What you actually need to figure out is whether it makes any sense for me to do it. That's what this page is about.

Who I am

Hi. I'm odpay.

I created ZenithProxy in 2021 as a fork of Pork2b2tBot, built for members of my group Zenith so we wouldn't have to sit in the 2b2t queue. A few months later I brought on rfresh, and handed the project off to him not long after so I could focus on school. He's since done orders of magnitude more for ZenithProxy than I ever have, and he's the one publicly regarded as the primary maintainer today.

Discord screenshot from February 2022 of odpay inviting rfresh2 to the ZenithProxy GitHub repository with Maintain-level access, and rfresh replying 'im in / cool'.
Me adding rfresh to the ZenithProxy repo in Feb 2022.

I've kept making occasional contributions to ZenithProxy since the handoff. If you're running any version of ZenithProxy released since 2021, you already auto-update code that I have commit access to. I've had a silent, free path to every running ZenithProxy instance (and therefore every user's 2b2t coordinates) for years. I haven't used it.

Why Zenith Hosting exists in the first place

Stop and think about this for a second.

If my plan was to steal bases, I could push a malicious ZenithProxy update any night of the week. Thirty seconds of work, instant coordinates from every user on the planet, zero infrastructure required. Done.

Instead, what I actually did was:

  • register an actual business under my real legal name
  • spend months building this platform
  • build in-house plugins and tooling on top of ZenithProxy specifically for Zenith Hosting users
  • set up billing through Stripe
  • run marketing
  • pay for domains, servers, DNS, a whole infra stack
  • charge real money
  • start generating income I have to file taxes on

And then, at the end of all of that, the play is to throw it all away by spying on one of my paying customers?

If that were the plan, it would be the most expensive, most traceable, most self-incriminating way to get coordinates anyone has ever dreamed up.

And because this business is registered under my real legal name, compromising a customer's data puts me in federal unauthorized-access and wire-fraud territory. There is no scenario where the math on this works out for me.

What about everyone else?

Fine. So "what if odpay is evil" is a dumb bet. But there are other customers on the platform, and random attackers out there on the internet. Those are a real threat model, and I can actually engineer against them.

Per-instance pod isolation. Every instance runs in its own locked-down Kubernetes pod. No host filesystem access, no shell from the public internet, no reaching it from other customers' pods.

Firewalled control channel. The management plugin's port is blocked from every other pod at the network policy level. Only the backend can talk to it, over Kubernetes' authenticated API tunnel.

Your Microsoft token stays in the pod. If your gaming PC gets hit by an info-stealer tomorrow, your bot's account isn't in the loot.

Your home IP never leaks. 2b2t admins and other server operators only see a proxy IP, never your real one.

Always patched. The management plugin re-fetches from signed GitHub releases every time your pod starts. No way to accidentally run a year-old vulnerable build.

Argon2 password hashing. Modern, memory-hard.

No card data on our servers. Stripe handles tokenisation.

For the "me" part of the threat model, scroll back up.

The honest part

You cannot fully guarantee trust. Not with a hosting provider. Not with your friend running your bot. Not even with auto-updating software you set up on your own VPS. The moment you run somebody else's code, you're trusting them.

If you want more data points, the #reviews channel in our Discord has real users writing about their experience. And if you'd rather skip the hosting question entirely, you can always self-host. Here's the repo.

Talk to me

If you want to ask me anything, before signing up or after:

Josh (odpay)
Founder, Zenith Hosting. Original creator of ZenithProxy.