So now your users could be phished by a Plex phish… which gets the attacker access to your plex instance upon success? But you already said that you don’t find that worth securing since in JF it’s not secure by default… I’m fully not understanding here. Is the worry that your users are reusing passwords?

Any user for your system getting an actual phish for plex will at worst get a request to pay for something. Of which I bet they’d talk to you about it as the server owner first since I doubt anyone would want to pay for something you’ve given them for free.

I’m not seeing the risk here. Want to expound on that? I can clearly see the risk of direct media access if copyright holders start making random claims for things they find on default insecure servers.

I don’t have tech people in my life, and have never had that.

Yeah I feel this. These days it’s near impossible to just pick up on your own. When I was growing up and getting into it, you could still disassemble things and see how they were all connected (and poke at them to make it do weird stuff!). Now-a-days it’s all multilayer boards and impossible to piece together without an electrical engineering degree and an xray machine. It’s hard to ramp into the material when it’s such a vast topic that’s quite hostile to new blood.

The IT side has similar issues… Lots of stuff has been distilled to “this ansible script will handle ALL of it if you setup a 5 line config file” (Or a docker compose file that you just edit and run)… You miss all the backend stuff that’s happening and don’t get the understanding of how it all talks together and works.

Convenient… but not generally good for actual understanding.

Good luck on your IT adventures! Feel free to reach out again if there’s something you want to talk about.

Sure Sony could see you have Avengers on your instance. Could they prove you got it illegally just from that?

Only takes finding one item that was “streaming service only” to subpoena everything else and require you to provide evidence in court… And yes… I don’t keep things visible in my window that might cause me legal trouble. I wouldn’t have guns mounted on my wall in a state that has a gun ban, then cops have plain-view reasoning to break my door down and take me to jail. This is well litigated. Just like bypassing security features is against the law (as a general rule)… but lemmy doesn’t put those endpoints behind any lock of any form, which loses it it’s protection.

Your argument is literally the same argument that police use to enforce drug laws. Which most of lemmy is against as a general rule. I’m not sure why you think this logic is okay here.

And no… seeing a disk would imply ownership as it’s readily known that DVDs and Blurays possession is a license to have the content. Where digital ownership is not a give just by having the file.

The proof of concept is in the original JF issue on github. It’s not theoretical. It’s just not known to be actively abused right now… It could very well be abused… and I actually even made my own proof of concept that works. Nothing stops someone from cluing Sony’s lawyers in on the matter and handing over the proof of concept for money… Then what do you do? Just because we “think” it’s not being abused doesn’t mean that you ignore it.

You can probably leave your front door unlocked… until one day somebody just walks in and takes your stuff. They may only take stuff that you don’t find important, that makes it okay right?

I do agree that it should be by default, but a “breach” where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.

Until a media company like Sony scans your server for their content and serves you a summons… Then it will have a significant impact on you. And I doubt the content that Plex leaked actually has any meaningful impact at all. It sucks… and is bad… but shit happens and nothing is perfect. I’m much more trusting of a company that actually responds and fixes problems that gets reported than one that hides in the corner with finger in ears for 5+ years.

I don’t entirely understand what this response has to do with what I said. I’m surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.

We’re on a thread where Plex is being derided for a security problem… Where the principal comment I responded to says “Glad I’m on Jellyfin”. This is an implicit “jellyfin doesn’t have this problem, it’s secure” statement. Otherwise there’d be no point or relevance to the comment for the topic at hand.

My guy, I didn’t start the comment thread, I’m not the one who brought up Jellyfin.

You wrote

Endpoints that dont give you any data that would be considered a breach.

You are perpetuating that Jellyfin is “secure” to use on the internet. I was directly referencing what you said. I’m not sure why you keep thinking I’m talking about something else.

Just want to add that I’m not a completely random user. I have a career in cybersecurity as well as a degree and plenty of certifications.

I’m a CISO. I hire people like you and give you your job. I’m also no “completely random” but playing the appeal to authority card is stupid on a random internet forum. If I were to leak content secured by the applications that I have security ownership of. I’d be completely fucking jacked. Leaking emails and password hashes are meaningless… emails are all well known and password hashes means I just force reset the entire userbase and move on. Plex’s “leak” is annoying… but not actually sensitive at all. You should know this. It will take a significant amount of time for the bcrypt+salted+peppered passwords to actually be decrypted. There’s LOTS of time to hash that out, this email is the start of that process.

Now if your media isn’t worth securing… then why use authentication at all on Plex or JF? Why do you care about your account auth that protects your media if the media isn’t worth protecting? Why is it your default stance that exposing the media is such a nonissue… that your more worried about the data that secures your media more than the actual security of the media?

When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain.

Unless you’re a media company like Sony, WB, or other company that actually has ownership rights of the IP that you’re storing. Remember… Sony has done things like install rootkits on their consumers computers in order to stop piracy. Why do you think that they’re above asking servers freely if they have their copyrighted content?

The impact isn’t a technical one. but a legal one. And JF could close that door and keep the media confidential in of itself so that this is a non-issue all together but specifically won’t because of “backwards compatibility”. But somehow you trust them to make secure decisions elsewhere with your content?

Well… I’ll be blunt here. I taught in an R1 institution for a bunch of years. Even people graduating with a Masters in the IT field can know very little about these subjects (which could be a statement of the program itself… but in my opinion mostly of the students lack to join concepts together as I literally had many of those students go through my security and operations classes). It’s possible for the best of us to be blind sided by random things that we didn’t recognize as a problem because we didn’t realize that concept x and y are related. I’m no exception to this and never claimed to be.

IT is a big field and security a hot-button, constantly growing, subfield of it’s own. Which doesn’t help… it’s breakneck to keep up with.

I don’t know of any single source of truths to give you here. Some basic tenants of security… Security through obscurity doesn’t work. Expose as little as you can. Keep everything you can behind some form of trusted/audited auth unless you really want it to be abused. Keep backups (3-2-1) of anything you care about. Encrypt wherever possible. MFA/2fa everything possible. Don’t reuse credentials. I’m sure there’s more that others could chime in with.

Ultimately all you can do is minimize your risk pool. It’s impossible to completely negate it. Keep an eye out on cyber news so you can learn the “new hotness” of the week as far as how things are getting attacked. It’s not necessarily something that needs to be feared, as long as you understand the risks.

You can probably start going through resources like https://www.w3schools.com/cybersecurity/ if you really want to pick up on the basics of stuff out there. And I don’t mind legitimate discussion most of the time if you want to talk about stuff, as grumpy as I might sound, I used to be an educator and have no problems with talking about the stuff I know. Though I am quite sardonic these days, it’s just my cope with the world as I see it fall apart.

The number one thing that helps learn all of it though… a homelab. Every. Single. Student I’ve ever talked to I told “get a homelab, try shit out”. In the context of my classes though, that also meant “try breaking it” too.

Married with kids… I don’t even get the pleasure of my own thoughts most days anymore…

Yeah you’re right. I should probably drop my lemmy instance. This place is a cesspool.

I use my self hosted matrix server and the signal bridge, that way I don’t have to do file backups.

Same here. And the real benefit… One place to aggregate all my chats. Discord, slack, telegram, twitter, linkedin, etc… Just download on app on my phone and connect to my matrix server.

But my backup is just LXC containers on proxmox backing up to a PBS instance. Literally 2 button restore to any snapshot from the past year (2 backups a day, morning and evening)

eh, I’m probably pretty grumpy about this discussion because I keep having the same exact 4-5 talking points “discussed” over and over just every few months. So I get that I’m probably not the most fun to interact. But this is the point. If nobody ever brings up these issues (including the JF devs themselves on their install documents) then we end up with more people like these shodan people.

The JF devs had a 5 year opportunity to close one massive big hole, that would have been simple and easy. The issues related to it are well known to the dev team and proof of concept was submitted over 5 years ago to them. They actively refuse to merge the code that would fix it because of “reasons” (most cited being “compatibility” with some players). And the most cited solution is “reverse proxy”, which is fine… but don’t resolve the problem on it’s own. Case and point with the second shodan link you can reach their instance and you can try the calls and it still “works” even though it’s behind NGINX.

This is a massive problem that isn’t being abused yet that we know of… but that problem is in EVERY JF instance… and has been the whole time JF has been a project since that problem was in the version of emby that JF is forked from. So to say that “Plex bad cause security!” when they specifically notify and do the “right” things in response to a problem is crazy when JF’s answer has been literal crickets for half a decade.

But yeah, Shodan in general is a really fun tool. It’s good habit to check your own stuff out and see what you’re exposing to the world that’s just findable.

Here’s another thing lots of people overlook. If you use let’s encrypt or some other service… look into pulling wildcard certs instead of your specific jellyfin subdomain. https://crt.sh/ and other sites will record every public cert that’s registered. Pop your own domain in… Can search for all sorts of stuff this way too.

Oh no! Not the vibes! However shall I live without the vibes!

Other software may be insecure like that but you would only know after an incident happens because you cannot audit the source code.

You don’t need to audit the source code to find vulnerabilities in endpoints. You need source code to know exactly why it’s vulnerable. Plex is constantly being tested by jackasses like me who try random shit. Hell we just got a forced patch for plex that they rolled out this month. https://forums.plex.tv/t/plex-media-server-security-update/928341

I mean they could also just go to Plex and ask them what’s on your server.

There we go. Finally this argument came up… Plex doesn’t have a list of whats on your server.

And don’t say they don’t know considering they sent emails about what you watched.

They don’t. The metadata of “what you watched” recently isn’t attached to what data source it was watched from. You can go a search for a movie that isn’t on your server, click it and mark as watched and it will show up on that email list. You can also disable that function all together and then nothing is synced to them. You can also make a claim that they know what you have since you probably pull metadata on those items from them. Except you can pull metadata on just about anything without having the content at all.

But once again… I’d love to get off of Plex. I want to actively get off of Plex. But Jellyfin is a worse pot to jump into.

If installing wireguard and using proper opsec is hard then I guess they’re right.

Already beaten to death this argument. You get wireguard installed on a “smart” TV and then that argument will matter to me.

Name email address, password, access history, and probably IP and location…

Interesting that you assume this is the list of taken things when that wasn’t what was disclosed to us. And Plex has been absolutely forthcoming with this in the past.

Edit: it’s the third time in a decade Plex got hacked. Please list instances where jellyfin leaked the data of all their users.

Literally everyday since those attack vectors are actively open right now and have been open for 5+ years (jellyfins whole lifetime) and proof of concepted for the developers that whole time.

Your email, username, and password don’t matter but the fact that you have Avengers: Endgame does? Jesus Christ man, this is why people say you’re a shill for Plex.

The only “Sensitive” item is the password… But it’s hashed and salted using bcrypt. And for me personally… it’s unique. Therefore non-important. Further their recommendation to replace the password is sufficient. Not sure how me pointing out this fact is “shill”. but you do you.

I’m sure as shit not paying a third-party a subscription for piracy.

I bet you’re wrong on this. You very likely either pay for a VPN subscription that you primarily have for torrenting content, or for usenet access to get content.

I guess you don’t care enough about your own media being yours.

LMAO. I love that the previous sentence you admit to piracy then claim it all to be yours.

and don’t just freely give my media over to a company to take care of.

Neither do I. Now you’re just making shit up.

Well… I mean… you can host your spank bank materials there. Fun is what you make of it.

I’m in a thread where Plex admits, responds, then TAKES ACTION. Versus the open source project that’s known about an issue for 5+ years… and sticks their fingers in their ears and tells you that you’re the problem.

I guess that we’ll just reward that project that’s lucked itself into not having an issue rather than a product that actually is trying.

Edit: Oh… and the actual “loss” of data matters here… My email isn’t special. My username isn’t special… The hashed and salted password isn’t special to me. None of this data matters to me in the slightest in this instance. However, potentially probing the content on my server directly DOES matter to me.

Sucks for LG tv people… and Samsung Tizen users… And all sort of other people too! But I guess you go out of your way to purchase hardware for everywhere that you go and want to watch TV then, eh?

I sure as shit am not dragging a whole Media PC setup to a hotel with me. Or to my in-laws house. Or my aunt’s… But they all have a roku.

Your answer is effectively throw money and support at it… which isn’t really a good answer. Especially the moment the user isn’t strictly “you”.