Plex is rolling out its big app redesign
Saik0 @ Saik0Shinigami @lemmy.saik0.com Posts 1Comments 1,971Joined 2 yr. ago
Saik0 @ Saik0Shinigami @lemmy.saik0.com
Posts
1
Comments
1,971
Joined
2 yr. ago
Cool... point me to the LG TV tailscale app.. or the roku tailscale app...
SDNs in general are no different. App support is limited, specifically on devices that people are most likely to want to watch media content on.
And to say that tailscale is "that's it" is a bit disingenuous. On my setup (LXC containers) I couldn't add tailscale even if I wanted without faffing with interface stuff.
If it's a private VPN, you should be fine. If it's publicly accessible the jellyfin access through a vpn itself doesn't matter. They can just subpoena a request to your domain registrar to get your information since the IP won't yield anything useful for them.
Thanks for admitting it. A few people simultaneously responded attacking my warning. So rereading my response to you, I recognize I was a bit more snarky than was warranted, and I apologize for that.
But yeah, 2fa (Even simple TOTP) baked in would go a long way too on the user front too.
It's clear that Sony could just generate a rainbow table of hashes in MD5 with common naming conventions and folder conventions, make a list of 100k paths to check or what have you for their top 1000 movies... and then shodan(or similar tool) to finding JF instances, and then check the full table in a few hours... rinse repeat on the next server. While that alone shouldn't be enough to prove anything, the onus at that point becomes your problem as you now have to prove that you have a valid license for all the content that they matched, they've already got the evidence that you have the actual content on your server, and you having your instance public and linkable could be (I'm not a lawyer) sufficient to claim you're distributing. Like I can script this attack myself in a few hours (Would need a few days to generate a full rainbow table)... Put this in front of a legal team of one of the big companies? They'll champ at the bit to make it happen, just like they did for torrents... especially when there's no defense of printers being on the torrent network since it's directly on your server that exists on your IP/domain.
I don’t need to trust because I know how it works: https://github.com/jellyfin/jellyfin/blob/767ee2b5c41ddcceba869981b34d3f59d684bc00/Emby.Server.Implementations/Library/LibraryManager.cs#L538
Yes... exactly how I said it works. Notice the return.
return key.GetMD5();
It's a hash, not a proper randomized GUID. But thanks for backing me up I guess? I wasn't interested in posting the actual code for it because I assumed it wouldn't be worth a damn to most people who would read this. But here we are.
They can’t. Without the domain, the reverse proxy will return the default page.
You are wrong, but at this point I'd have to educate you on a lot of stuff that I don't have the time or care to educate you on. The tools are out there and it's beside the point at all, proper auth fixes all the concerns. If it's publicly accessible you have to assume that someone will target you. It's pitifully simple for someone to setup a tool to scan ranges and find stuff(especially with SSL registrations being public in general, if I asked any database for all domains issued that start with "jf" or "jellyfin" or other common terms, I'd likely find thousands instantly). Shodan can and does also do domain stuff.
There are 2 popular Docker images, both store the media in different paths by default
So they'd only have to have 2 hashes for a file to hit the VAST MAJORITY OF PEOPLE WHO USE THE DOCKER. What an overwhelming hurdle to jump...
You do not have to follow the default path
Correct, but how many people actually deviate? Forget that most people will map INTO the container and thus conform to the mapping that the containers want to use. This standardizes what would have been a more unique path INTO a known path. This actually makes the problem so much worse.
The server does not even have to run in Docker
And? Many people are simply going to mount as /mnt/movies or other common paths. Pre-compiling md5 hashes with hundreds of thousands of likely paths that can be tested within an hour is literally nothing.
You do not know the naming scheme for the content
Sure, but most people follow defaults in their *arr suite... Once again... the up-front "cost" of precompiling a rainbow table is literally nothing.
It does not need to be similar, it needs to be identical.
Correct but the point that I made is that they would simply pre-build a rainbow table. The point would be that they would take similar paths and pre-md5 hash them. Those paths would be similar. Not the literal specific MD5 hash.
There are 1000s of variations you have to check for every single file name
Which is pitifully easy if you precompile a rainbow table of hashes for the files for in the name formats and file structures that are relatively common on plex/jellyfin setups... especially to mirror common naming formats and structures that are used in the *arr setups. you can likely check 1000 urls in the matter of a couple of seconds... Why wouldn't they do this? (the only valid answer is that they haven't started doing it... but could at any time).
My threat model does not include “angsty company worried about copyright infringement on private Jellyfin servers”.
Yes... let's ignore the companies that have BOATLOADS of money and have done shit like actively attack torrents and trackers to find thousands of offenders and tied them up legally for decades. Yes, let's ignore that risk all together! What a sane response! This only makes sense if you live somewhere that doesn't have any reach from those companies... Even then, if you're recommending Jellyfin to other people without knowing that they're in the same situation as you. You're not helping.
Why bother scanning the entire internet for public Jellyfin instances when you can just subpoena Plex into telling you who has illegal content stored?
I thought you knew your threat model? Plex doesn't hold a list of content on your servers. The most Plex can return is whatever metadata you request... Except that risk now is null because Plex returns that metadata for any show on their streaming platform or for searches on items that are on other platforms since that function to "show what's hot on my streaming platforms" (stupid fucking feature... aside) exists. So that meta-data means nothing as it's used for a bunch of reasons that would be completely legitimate. The risk becomes that they could add code that does record a list of content in the future... Which is SUBSTANTIALLY LESS OF A RISK THAN COMPLETE READ ACCESS TO FILES WITHOUT AUTH but only if you guess the magic incantations that are likely the same as thousand of others magic incantations! Like I said though several times. I'd LOVE to drop plex, BECAUSE that risk exists from them. But Jellyfin is simply worse.
You seem wildly uneducated on matters of security. I guess I know now why so many people just install Jellyfin and ignore the actual risks. The funny part is that rather than advocating for fixing it, so that it's not a problem at all... you're waiving it all away like it could never be a problem for anyone anywhere at anytime. That's fucking wildly asinine when proof of concept of the attack was published on a thread 4 years ago, and is still active today. It's a very REAL risk. Don't expose your instance publicly. Proxied or not. You're asking for problems.
Yeah... ignoring potentially leaking peoples private videos for the sake of "backwards compatibility" is wild. No... When you find a critical flaw like that, you should be breaking compatibility purposefully in order to make people update to tooling/programs that support the new more secure functionality.
are in UUIDs.
It's not a UUID. Those tokens are MD5 hashes of values that can be pregenerated (rainbow tabled) or guessed. It's not random. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
Edit: and UUID in the URL still means capture-able by google search and other issues/crawlers. But somehow security through obscurity is "secure" to you. Y'all are crazy.
No... and you're trusting this WAY too much. This is exactly why it's dangerous.
You don't need any knowledge of the domain. Tools like shodan will categorically identify EVERY jellyfin instance that scanners will run into.
the media/user/stream IDs and media paths.
No. Read the whole thread. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
If your path is similar to my path, which due to the nature of the software we ALL have similar paths. You can absolutely bruteforce the CALCULATED AND NOT RANDOM MD5 hash of the folder names that bigbucksbunny lives in. All it takes is for one angsty company to rainbow table variants of their movies name to screw you completely over. This is "security through obscurity". This isn't safe AT ALL.
Edit: Just to clarify you would have to ADD your own GUID style information to the folder path in order to make it so a generic precompiled rainbow table for common paths to not work. Eg, /mnt/53ec1945-55dd-4b73-8e03-9e465d5739c3/movies/bigbucksbunny
common paths/names can be setup based on the defaults for programs like the *arrs with minor linux-minded variants and I bet it would hit a good chunk of users who run jellyfin.
Would seem so. The project is open source, and nobody is getting paid. So the lack of update makes sense to some extent.
As cool as it is.. and as much as I want to make plex shove it completely. Jellyfin just isn't ready for prime-time.
I run both... Jellyfin isn't allowed to talk outside of my network at all, and I can access it over my personal VPN... But Plex is where all my users are because anything else would just be too annoying to maintain.
Because a reverse proxy doesn't resolve any of these major issues.
https://github.com/jellyfin/jellyfin/issues/5415
Your content can be probed, identified, and streamed all without auth. Your users can be enumerated in certain cases.
Edit: If you host legit content, like family videos... All of that can be leaked. If you don't host legit content... and the public site gets probed and they identify the illegal content... expect to be named in a very large lawsuit... either situation is bad.
Edit2: and hosting it behind a proxy that does it's own auth would break ALL app-based jellyfin clients.
In some ways it is... In others it's definitely not.
My biggest problem is that I can't expose it on a domain for my family to get to. They don't know how to VPN and to educate them would be exhausting.
If only Jellyfin onboarding was as easy for friends and family…
What makes it harder is that you can't just expose it to the internet... https://github.com/jellyfin/jellyfin/issues/5415
In order to use Jellyfin you now have to get all your users onto a vpn or some other tunneling service. It's crazy.
I have both installed... I want to deprecate Plex SO FUKCING BAD. But Jellyfin just isn't good enough.
No upselling.
Bullshit. Within minutes of registering just to look at some stuff I got spammed with all sorts of bullshit via email. Custom one-off throwaway email alias.
No. I'm telling you that "They paid almost 3 percent" is bullshit. I'm telling you that you're lying. I make no claim for anything else other than you're full of shit. You're making shit up to complain about "orange man" and not looking at what's actually made them pay. Which was Russian aggression.
And no, you can't just take the average when there's a clear pivot point of an event. Someone had to make up the shortfall in the pre-Russian invasion time-frame. That wasn't just free. They were average 1.6% in the 6 years prior to Russian invasion of Ukraine. Well below the benchmark.
But wait! Turns out I copied and pasted the wrong table... I grabbed it from a page down because I was an idiot and scrolled too far!
Here's the real data.. Denmark 1.15 1.11 1.15 1.14 1.28 1.30 1.38 1.30 1.37 2.01 2.37
1.556% as an average... with pre-invasion looking closer to 1.2%
So even now they barely make the benchmark even after Russian invasion (post-invasion averages 1.7%). So not only are you really full of shit, but you're SUPER full of shit. They've never paid anything close to 3%. Let alone actually maintaining their 2%.
Edit: fixed wording to be more clear on post Russian invasion benchmark.
Denmark 0.97 1.09 2.16 1.95 1.49 1.85 1.84 4.08 3.07 2.64 2.29 (2014-2024estimated)
Source: https://www.nato.int/nato_static_fl2014/assets/pdf/2024/6/pdf/240617-def-exp-2024-en.pdf
Considering that the "old" benchmark was 2%... They didn't even make that number for years. Only stepping up and consistently paying when Russia actually started their invasion. And even then they are rapidly regressing back to the 2% number.
Bush also brought the PATRIOT act to open a lot of authoritarian doors.
What sort of history revisionism are you peddling here? The Patriot act was bipartisan. We have records of the votes. like 75% of dems approved it. And 98-1-1 in the senate... https://www.justice.gov/archive/ll/subs/detailed_vote_2001.htm
Hell if we're making this partisan, the republicans have a better claim that they're trying to end it...
In November 2019, the House approved a three-month extension of the Patriot Act which would have expired on December 15, 2019. It was included as part of a bigger stop-gap spending bill aimed at preventing government shutdown which was approved by a vote of 231–192. The vote was mostly along party lines with Democrats voting in favor and Republicans voting against. Republican opposition was largely due to the bill's failure to include $5 billion for border security.[253]
You using crypto to buy your toilet paper is not a mass scale use case and it is irrelevant.
So then you claim that being able to buy stuff isn't a "mass scale" use case...
You realize that's fucking stupid right?
As I said, I can and do buy things regularly (though "rare" comparatively with the normal fiat purchases) with crypto. Other's can do with me as well as the sites that I do it on do it as well. I can prove that by looking at the block chain and seeing the traffic in their wallets.
So "way to go man!" Unless you actually have something more meaningful than "nuh uh". You're kind of full of shit.
Edit: Lack of "big" vendors doing it != not possible at mass scale.
Dell at one point accepted crypto. They stopped because of regulation, not because of technical limitation. And sites like Newegg still accept it.
https://www.opensecrets.org/news/2018/12/billionaire-sex-offender-epstein-gave-heavily
Jeffrey Epstein, a billionaire hedge fund manager, settled in court Tuesday more than a decade after his saga of sexual exploitation of underage girls was revealed by the Palm Beach police in 2005.
According to an investigation by the Miami Herald, from at least 2001 to 2005, Epstein lured underage girls to his Palm Beach mansion to partake in a network of sexual exploitation.
From 1989 up until 2003, Epstein donated more than $139,000 to Democratic federal candidates and committees and over $18,000 to Republican candidates and groups, according to data from OpenSecrets. Notable recipients include former President Bill Clinton and former Senator Bob Packwood, a Republican. In 2003, a couple of years before a full-scale investigation into the allegations of sexual exploitation of underage girls, his political giving abruptly stopped.
From 1999 to 2003, Epstein donated $77,000 to Democrats John Kerry, Richard Gephardt, Chris Dodd, and other high-profile politicians and committees. Dodd received a $1,000 contribution from Epstein during his reelection campaign in 2003, however, the contribution was returned in 2006.
So unless you're insinuating that Bill Clinton and John Kerry are republicans... I deeply, deeply doubt it.
Over the 15+ years that we’ve had crypto, there have been only two viable uses. All others have failed:
Criminal activity (including brutal stuff like enabling NK/Russia and drug cartels) Financial speculation (in of itself often a malicious activity where the goal is to dump your worthless bags on a mark)
Huh, Weird... Every use I've ever used crypto for doesn't fall into these two categories. So I guess your assumptions and thus everything you based your logic/responses on must be faulty and incorrect.
I use Crypto much like I use my second language/citizenship. Rarely... However, that doesn't mean I don't use it legally. And simply holding onto the crypto != financial speculation. Nobody treats a savings account as "financial speculation".
I've paid for plenty of things from my crypto wallets. Ranging from several to thousands of dollars.
And yes, I would like my payment for toilet paper and bell peppers to be private. Strictly for the fact that I don't want Mega-corpo stores to be able to track and advertise to me based on my payment method. "Club cards" to advertise/track you are a thing. Large chains can do this same thing with payment methods details. So yes, being "real" here, I not only require it, but demand it.
Your premise is bad. And based on your other responses you don't care to address it at all.
Transcoding...
Since Plex is distributing software that can re-encode video, the codecs that comes with the software must be licensed for many of the codecs.
Here's an article that covers some of the shenanigans around h264... Now realize there's at least a dozen others as well that are likely just as screwy. https://jina-liu.medium.com/settle-your-questions-about-h-264-license-cost-once-and-for-all-hopefully-a058c2149256
Eh, if that's operating in the US (or other country that cares), they may still give up the mapping to a legal request.