Important Notice of Security Incident
(forums.plex.tv)
from KarnaSubarna@lemmy.ml to selfhosted@lemmy.world on 09 Sep 14:00
https://lemmy.ml/post/35903962
from KarnaSubarna@lemmy.ml to selfhosted@lemmy.world on 09 Sep 14:00
https://lemmy.ml/post/35903962
Additional read: bleepingcomputer.com/…/plex-tells-users-to-reset-…
threaded - newest
I am curious as to why people thing Plex is self hosting if Plex can change how your server functions? I have never personally considered it self hosting but do others still think it is?
Because you are hosting the server software on your own hardware. That’s literally self-hosting. Plex provides a way to remotely access your server through their own network as well, which is optional.
On a side note: you can remotely access any service running on home network via Tailscale[1] / Cloudflare Tunnel. Your services are never exposed on Internet. Moreover, you don’t need to rely on Plex for that.
[1] tailscale.com [2] developers.cloudflare.com/…/connect-networks/
Tailscale is going public, so I don’t really trust them anymore. I used Cloudflare tunnels for a while, but I strongly dislike being dependent on them for accessing my own network, and I don’t like how they recently clamped down on “anti-piracy”. There are some legitimate sites I still can’t access (dirtbike parts and whatnot) because Cloudflare straight up blocks access to them.
Even if the source code is open?
Android is open source and look what Google is trying to do with that.
Go with pangolin. You can easily host the control layer either on a cheap vps or your own internet exposed server. Same features as tailscale although with a bit more complexity.
The problem with Plex is it isn’t fully hosted. Plex controls user passwords. You can’t use it without logging into their servers.
You can access it through your local network without authentication. Add a vpn and you got the same setup Jellyfin fans will praise
Not really. The first local login to configure it requires a Plex account. And that account times out maybe monthly? It seems every few months when I remote to the Plex server it wants the plex account to login.
Yes. It’s running on my server. That I host.
And you fully control the service?
Depends on how you use it. Doubtful anyone here has the Plex devs on payroll… Not any other self-hostable softwares devs … updates will come.
Even though there are some cloud services like remote server management, proxies, and 3rd party integration, I do actually have to run the software myself on my hardware. Hence, self hosted.
Plex is self hosting, the auth is not.
Actual answer.
So is the auth needed to set up your plex in the first place? It has been forever sence I used it.
no, the auth to use it at all ... internet goes down and you can't watch your own movies on your own network. peak self hosting.
Ok that is good to hear!
You can add IPs that are allowed to use it without auth. The software itself is running on your own server.
That’s simply not true. You can just set your local ip range as unauthenticated and use it to your hearts content without an internet connection.
How is that any different than any other software package? Unless you’re coding it yourself, things can be changed without your permission.
And even if you do code it yourself, you may have dependencies that do undesirable things outside your control.
Jellyfin I don’t have to update if I don’t want to. Jellyfin can’t force me to update by taking a function I currently have away or force my to pay to keep using it the way I currently am. With open code I can fork it and keep it at the version I want if I choose.
At least for now. Jellyfin was spawned from Emby who also decided to go closed source at one point. You’re still at the whim of strangers and what they want to do with the product they developed.
Regardless, the debate isn’t about “Plex vs Emby,” it’s whether “Plex is self-hosting” or not.
why stop there! let’s do the same for all the “self-host” projects that use CDNs or remotely hosted resources.
it’s not self-hosted unless it’s 100% hosted locally.
Right, he who does not rely on someone elses DNS-server shall throw the first stone!
By your logic the *arr suite isn’t self hosted either since they rely on metadata cache servers.
In fact Jellyfin relies on external services for their metadata too!
You are a bot? That’s what I’m seeing in Boost anyhow
Just asking a question looking for answers, not a not. Cheers mate.
<img alt="" src="https://lemmy.world/pictrs/image/94100749-f3ea-457d-af41-8c820f02e745.png">
it’s just a sivilian being sivil.
You appear to have labeled your Lemmy account as a bot account.
Should have been put in the OP because people are going to jump the gun:
Still, always good practice to change your password after this sort of leak. However unlikely it is that someone could access your account, it’s never a bad idea.
If you use a unique password and have 2FA on there’s no real need, but yeah it can’t hurt.
I bet the 2FA secret was leaked too though…
Right there in the announcement.
Plex can't catch breaks recently.
Self hosting does come with risks though. People should be on notice.
In general, for self-hosting, we hardly rely on remote service/server. The whole idea of self-hosting is to shun dependency on external service/server, and run everything on your own hardware and network. So that every aspect of the service is in your control. I don’t think self-hosting comes with much risk, unless you make your service available on Internet.
Well plex can't be run without it pinging the mother ship...
But I get your point. I don't open shit up for remote use.
Which is exactly why I never installed Plex and went straight to Jellyfin
Plex has more apps support. But yeah I can't wait for the day where I can move over.
Was on the fence for a long time, and I made the move just recently (after the pricing changes. Didn’t effect me since I was grandfathered in, but I saw it as a harbinger for worse things to come) With the creation of Wizarr, it solved my biggest problems with Jellyfin. I can just send an invite link, and it creates accounts for people on Jellyfin, Audiobookshelf, and Kavita, and lets me set up introductory guides for everything. Despite the menu UI/UX being significantly worse than Plex, playback is smoother, load times are shorter, and it can actually handle streaming to really slow internet speeds, something that Plex had a lot of trouble with.
The only app I noticed missing was the Tizen app, but they are working on getting it approved. I only had one family member using a Tizen TV, so I just gave them an old chromecast to run off of instead.
Jellyfish cannot to setup to securely and safely be exposed to the Internet. It is only safe to access through a VPN. That rules it out as an option for sharing with friends, family, or even my own spouse. You call it phoning home to the mother ship; I call it paying Plex to manage user authentication for me. Until Jellyfin’s security holes are patched and it becomes clear that the Jellyfin developers actually care about security, it stays locked down to my LAN. Setting up a VPN is difficult for the average user on a good day, impossible in some circumstances on even the best of days, and is not access I want to hand out (and support) to all the people I share my Plex with anyway.
tailscale.com This is essentially a mesh Wireguard Tunnel connectivity that ensures only you can access your service remotely.
That’s not very helpful for connecting family, friends, and especially grandma.
Not really true for self hosting a media library though, as this all relies on indexers, torrent sites, Usenet providers, metadata providers, subtitle providers, etc. If you host it for others outside of your household, you also rely on your ISP, their ISP, etc.
Went there to update my password but got reminded what a horrible experience Plex is these days, so deleted my account instead.
:D
I’ll probably get the lifetime pass after seeing how cumbersome setting up jellyfin is.
It takes fairly little effort to set up Jellyfin. I think there’s scripts these days that set up the entire arr stack for you in a matter of minutes.
I have jellyfin setup. What do you mean the entire arr stack?
It’s a bunch of programs for automated torrent downloads. No idea what it has to do with setting up jellyfin, though.
They mean a script that will install tools like Sonarr, Radarr, Prowlarr etc
Are these things worth it? At the moment I am manually downloading what I need from Usenet.
Personally it’s quite nice. I just request what I want to watch and the system grabs it automatically. It can download from Usenet too.
Cool! I’ll try to look into it. Thank you!
You’re using Usenet for downloading Linux ISOs and you haven’t set up the *arrs? What on earth lol
I managed to do it yesterday for radarr and it is quite something! I have never felt the need to be honest. It feels like there is quite the initial setup and then it should work seamlessly. I just never had the time to do it.
Jellyfin setup is fairly effortless. They have a very long way to catch up on apps though. That’s all that’s keeping me in plex.
Installing jellyfin is as easy as setting up any self hosted thing though… Just use docker compose if you want simplicity.
And secure remote access for me and my friends and family?
Wireguard is also very simple to setup. This would allow you to share other services you host in the future in a secure way as well.
Your mom’s Tizen TV doesn’t have a Wireguard or Tailscale client, so you’re going to be the person configuring her router, or setting up a Pi or something, as well as now being the designated tech support.
Its not hard to setup a proxy and use a full SSL cert. A little bit more complex but much simpler for the rest of the family.
You suggested Wireguard, not me. I’m pointing out how it isn’t a great solution to the problem that was presented; you can safely access it remotely with a VPN, but then that isn’t very useful for sharing with others, and you can expose the service to the internet at large, but then you’re opening yourself to risk.
Yes that’s why I suggested a alternative. Although wireguard is simpler to setup initially. Using proxy’s and exposing your service directly is simpler for the end user. Both are not difficult to do.
Personally, I found it as easy as Plex. I started my self hosting journey with Plex and Minecraft servers on a windows pc. Now I’m launching docker containers over ssh and lxc containers in proxmox for Jellyfin. Minecraft is still the hardest thing to host lol
I’m actually considering hosting a Luanti / “MineTest” server for this experience, since my wife lost her Minecraft account / key thingy since the time we played in beta ages ago haha.
I wonder if it’s any easier to host or not. 🤔
Wdym it’s like a couple of clicks
They’re probably just using some shit browser or something. I had no issues either.
Same lol, using jellyfin now instead
Meanwhile I made a post asking if plex is bad now and most people on it said “no it’s great I paid for my lifetime pass years ago and its been the best!” Yeah, we know the truth now.
Jellyfin all the way.
I’d love to switch. I would do it right now, but the problem is that Jellyfin’s security isn’t better if you open it up to the internet. For example, I’d have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I’d have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I’ll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they’d want it to work with their smart TVs.
Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I’m also happy with the way Plex is reporting this, it’s above the standard “your data is lost” notifications.
Edit: here’s a link to the related GitHub issue I’ve been following: github.com/jellyfin/jellyfin/issues/5415
And @Saik0Shinigami@lemmy.saik0.com has a great thread explaining more: lemmy.today/comment/18923504
Thank you for that issues link. I keep trying jellyfin every now and then and I run into issues with general bugginess so I haven’t been able to switch. Seeing that it’s kinda full of security holes makes me even more reticent.
Jellyfin is great… As long as you’re the only one who needs to access the server. I’ve switched to using Jellyfin myself, but I still run Plex for others to access.
I’ve found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.
What are those features?
One was automatic collections, but the plugin for this has since been updated, and the bug I was experiencing has been fixed. The one remaining feature that I’m missing is user ratings for media. On Plex I have automatic collections of movies that I’ve rated four and five stars, and it’s quite useful.
This is the same reason I haven’t switched. My parents use it to watch the local OTA channels and I have zero intention of supporting a site to site VPN on their home network and multiple mobile devices.
My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.
It’s still better for my needs, but I remain angry.
Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
I mean, that’s fine, but it’s still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn’t seem like security is Jellyfin’s priority at the moment, not that it’s Plex’s either, but it’s not to a place where it’s worth it to switch from a security standpoint, personally.
Plex has a whole team dedicated to security. It’s obviously not perfect and it is a larger attack surface than Jellyfin, but I’ll take that any day over devs who treat security as an afterthought
You mean the security team that got pwned here?
Still better to have a team to react to this incident than just have them shrug and ignore it for 5 years
What about the pwned users of Jellyfin that have unknowingly had security holes for 5 years because Jellyfin doesn’t care enough to even put a banner in their settings to say it’s not secure?
What security holes? I think the bigger problem here is relying on a media platform to also maintain security protocols. Use authelia or plug some other well maintained and hardened security mechanism on top of jellyfin. Then put it in front of everything else like the arrs, etc. Its weird to me to just setup jellyfin, make it Internet facing, and believing everything is just gonna be safe and secure with no issue. Frankly id prefer if all these services came without security. Its a royal pain to bypass it for localhost or proxying with something like authelia.
Huh? Did you even read the whole thread? They’re linked above.
If you hand wave those away then you can’t possibly have any issue with Plex.
I don’t have an issue with Plex. I don’t use it
Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done
Put your files in a randomly named root folder and it’s fixed. Even still, isn’t the worst they could do pirating your service?
No, the worst is that a company like Sony or their lawyers can find my server and create a list of movies I offer and then sue me over it. I live in a country where lawyers make a living doing nothing but that.
Besides that, security by obscurity is the worst possible form and barely qualifies as security at all. It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
And none of this is clearly communicated by the project. The unauthenticated endpoints are not disclosed, the issues with the filepath is not disclosed. Jellyfin fans treat it as a drop in replacement for Plex, but people using it as such basically throw an unauthenticated server onto the open web
I live in a country where making copies of movies and having them for private consumption isn’t illegal.
I wouldn’t blame the Jellyfin devs for this situation, they inherited a lot of bad code from Emby and are still cleaning it up.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
The Jellyfin devs have quite clearly outlined some of the issues in the setup guides, and others are detailed in issues on Github. They do work on it, but most bad code was inherited and they have limited time on their hands to fix it, preferably in a way that doesn’t instantly mess up everyone’s setups.
They could put a banner in the network settings warning users about these security issues while they get them fixed, that doesn’t require fixing any inherited code. In the GitHub issue linked, there’s at least one upset user because they had no idea this was even a problem.
Seems unlikely that this happened. Most people on Lemmy despise Plex and forgive all the shortcomings of Jellyfin
Thats what I thought too. But I posted on ask lemmy, not here.
What are the 3 biggest shortcomings of Jellyfin ?
Ironically, security.
Well it’s just generally buggy firstly. Glitchy UI for me especially for hours after I started scanning my media library.
Also it has no built-in system for connecting from somewhere outside your home. You have to manage that yourself.
Then there’s the fact that it’s got lots of security issues.
What do you mean with glitching UI ? Is it more than just not responding while scanning ?
I left the scan running for an hour or so, came back and it showed, maybe all, of my shows and seasons. However, on certain views, it would not list episodes that definitely exist. The page looked kind of broken. I thought “okay I’ll give it more time”. An hour or two later, same deal. Cleared browser cache multiple times. Nothing worked. Came back the next day and it was “fixed”. But that experience felt pretty janky.
I had something similar when I used XMBC (I think it’s called kody now) and it seems it was because there was some confusion with the scrapper to imdb and it needed some manual override file. You had to create a .nfo file or something like that, that told the scrapper the right imdb number or other exact identifier for it. I wouldn’t be surprised if the people at plex have some way to know of all the custom fixes people do and with that, when you have some issue recognizing some content, they can figure out what most people do.
I would be surprised if jellyfin has any way to to know what the users are doing so that wouldn’t work
That’s not what this was though, because it eventually fixed itself. I couldn’t begin to diagnose the bug, but the way I have my stuff organized works in jellyfin, but something about it’s scanner and/or database seems to have issues.
So you didn’t care, just wanted to downvote. Cool.
I haven’t installed jellyfin, I’m never installing plex, I would just use samba shares over vpn instead of that.
I wanted to know what’s the problem with jellyfin ?
Is it more than the weekend-destroying linux-jankiness ?
Because I can deal with that
I listed three things. I didn’t have the patience to suss out what might be wrong with it because Plex required no fiddling and afaik does not have any open security issues.
Plex followed best practices and made sure that in the event of a data breach your accounts were safe, and alerted us promptly to the breach and reassured us that nothing private/of value was compromised.
JellyFin knowingly leaves multiple API endpoints with zero authentication.
I know which one I prefer, and it’s not the one with gaping security holes marked as “won’t fix”.
People don’t seem to understand that no-one can reasonably stop a breach today.
The question is whether the attackers got anything of value and how easy they got in.
This breach was, in fact, very preventable. Plex didn’t need to force users to authenticate with a central server to access their own self-hosted media in the first place.
That’s not how “preventable” works.
Leave Plex
<img alt="" src="https://feddit.org/pictrs/image/0d02ef32-a37f-42e0-9410-99005f784f0f.jpeg">
alone!
Even is plex is “bad” now, it’s still years ahead of jellyfin.
Plex hasn’t been getting better, but it still does what I need. I have a lifetime pass from years ago. If I was starting today I would be a lot less inclined to pay for Plex though. They keep adding things I don’t want.
Plex has been getting better and better actually, but if you don’t want to pay for it then your experience will have gotten worse.
Glad I started out with Jellyfin
Same here.
I mean, jellyfin is absolutely even.more of a security nightmare than Plex, with multiple unfixed CVEs IIRC (software, not website or forum)
I use jellyfin also, but I only trust it not exposed to the internet at all. That is one very big area of improvement for them.
That and subtitle syncing.
I dropped it in favor of Jellyfin some time back, but this was a good excuse to go ahead and delete my family’s accounts.