I mean, that’s fine, but it’s still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn’t seem like security is Jellyfin’s priority at the moment, not that it’s Plex’s either, but it’s not to a place where it’s worth it to switch from a security standpoint, personally.
Comment on Important Notice of Security Incident
exu@feditown.com 1 day agoMost of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
AmbiguousProps@lemmy.today 1 day ago
MaggiWuerze@feddit.org 1 day ago
Plex has a whole team dedicated to security. It’s obviously not perfect and it is a larger attack surface than Jellyfin, but I’ll take that any day over devs who treat security as an afterthought
Orygin@sh.itjust.works 1 day ago
You mean the security team that got pwned here?
AmbiguousProps@lemmy.today 17 hours ago
What about the pwned users of Jellyfin that have unknowingly had security holes because Jellyfin doesn’t care enough to even put a banner in their settings to say it’s not secure?
MaggiWuerze@feddit.org 1 day ago
Still better to have a team to react to this incident than just have them shrug and ignore it for 5 years
FreedomAdvocate@lemmy.net.au 1 day ago
If you hand wave those away then you can’t possibly have any issue with Plex.
exu@feditown.com 1 day ago
I don’t have an issue with Plex. I don’t use it
MaggiWuerze@feddit.org 1 day ago
Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done
ChairmanMeow@programming.dev 1 day ago
Put your files in a randomly named root folder and it’s fixed. Even still, isn’t the worst they could do pirating your service?
MaggiWuerze@feddit.org 1 day ago
No, the worst is that a company like Sony or their lawyers can find my server and create a list of movies I offer and then sue me over it. I live in a country where lawyers make a living doing nothing but that
ShortN0te@lemmy.ml 1 day ago
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
exu@feditown.com 1 day ago
I live in a country where making copies of movies and having them for private consumption isn’t illegal.
I wouldn’t blame the Jellyfin devs for this situation, they inherited a lot of bad code from Emby and are still cleaning it up.
ChairmanMeow@programming.dev 21 hours ago
The Jellyfin devs have quite clearly outlined some of the issues in the setup guides, and others are detailed in issues on Github. They do work on it, but most bad code was inherited and they have limited time on their hands to fix it, preferably in a way that doesn’t instantly mess up everyone’s setups.