Saik0

if you can play an item back. you can enumerate it.

I mean, that’s effectively the same boat I’m in. I run all my own stuff in my own cluster (recently posted some of it if you check my post history).

But putting up Jellyfin for any user that isn’t on your network is literally a security nightmare. I cannot run blatantly insecure software and leave it internet facing. It’s one thing if it was just found and they’re working on closing it… But this has been documented/known for 4 years. They’re not fixing it and have shown no interest in addressing it at all.

VPN is literally the only answer… and that breaks all TV-based access outright since none of them do VPN. Basic auth doesn’t work. Other forms of auths breaks all app access (leaving only browser). And each time any of these possible alternative answers come up, they’ve outright dismissed it.

If/When Plex finally gets hostile, I’ll simply turn it off. But I can’t let Jellyfin be what services my users, it just doesn’t work.

I’ve spoken out on this same issue before… and as a previous security instructor/researcher… it’s fucking scary how many people shit on Plex for a platform that has had known vulnerabilities in auth for 4 years now, that’s existed since the previous code-base… so at least 7 years old and those issues existed in the previous emby codebase going back over a decade.

Plex isn’t perfect… there’s risks involved there too… but at least when something is brought up as a significant risk it seems to get fixed outside of the implicit risks of the Plex org itself.

All I read in these threads is effectively “WAAAH I don’t WANNA pay!”… Without realizing that the payment gave them something significantly more secure.

h265

https://www.cnx-software.com/2017/10/30/h-265-hevc-license-pricing-updated-for-low-cost-devices/

Lot of companies don’t want to pay it themselves… and lots of people don’t see the point when there’s a list of perfectly capable codecs that are free… including AV1

https://en.wikipedia.org/wiki/List_of_open-source_codecs

Ultimately as a software developer making money… if you don’t license the codecs that you’re using properly (when using a non-FOSS codec) you are liable for damages at that point for violating the terms of the license for the codec. It IS a cost. And across millions of users that costs adds up.

to use your own GPU for hardware encoding was always a scumware tactic

It costs them money to distribute the codec. It’s not scumware. Otherwise they would have to make install/setup of plex a 2 step process… and updates would be annoying as shit.

They need you to pay so they can push codecs with their updates/install.

I’m fine with the one time payment. I donate to shit I use regardless.

Okay? But they’re not holders… and their access to servers is changing and hinges on YOUR status. It’s not unreasonable to notify them about this change.

As do I… had a coworker message me about using adobe to merge/split pdfs… rather than walking them through the adobe workflow, just linked them right to the url… It’s so easy to use that I didn’t have to say anything more. they got it in seconds that would have taken me minutes of back and forth to explain to them.

It’s great. Simple tools for simple purpose.

In addition to the other post…

You already have a setup and throwing one more docker on isn’t a big deal. especially if you have watchtower already setup as well… then it even updates itself.

I use tools like this all the time… PDF for example stirling-pdf makes doing something things a LOT easier than firing up a “proper” pdf editor. This tool would likely be the same concept for other workflows.

I wish I could find something like this (low power kinda thing) that could take like 40 sata ssds.

I have a whole stack of 500 GB ssds from a datacenter decommission that I’ve been sitting on.

The 2TB units found their way into my ceph cluster… but those machines are live vms… A smaller little guy that can stack all these 500 gb would be nice to give to my cousin or something and use as offsite backup.

I was going to leave this alone… your original comment was correct enough that it wouldn’t matter and your “dedicated attacker” left it fine when i read it before.

but your edit has a gaping flaw. you assume that all content in the library would be physically released. lots of shows and movies are not physically released now. Can’t claim “backup” for those. The moment a movie studio finds your stuff and can map a few titles and one of them never had a physical release… your in the shit.

but yes you can be much harder to scan overall with a few steps. fail2ban is a great answer that makes it deeply unlikely to be an issue.

but i wish that they’d just fix it.

edit: OR that they wouldn’t try to go after you for distribution…

All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.

Which are simply MD5 hashes… You can precompile (rainbow tables) those. The “knowledge” here to get a valid video stream is “What path is the file on” which is pretty standardized. This is a good way to have a major movie studio’s process server knocking on your door.

you’ll have to put your Jellyfin server on the Internet.

Don’t.

https://github.com/jellyfin/jellyfin/issues/5415

Way to comment on something from over a year ago. And no nobody lied to me. I read the manifesto that Hamas publicly published.

“both sides should stop the violence and talk it through”

Hard to have a sit-down talk when one side (Palestine) outright says their goal is to kill all Jews and Christians.