this post was submitted on 02 Apr 2025
230 points (100.0% liked)
Technology
38555 readers
335 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Who has the technical wherewithal to run Jellyfin but leaves access on the open web? I get that sharing is part of the point, but no one's putting their media collection on an open FTP server.
The level of convenience people expect without consequences is astounding. Going to be away for home for a few days? Load stuff onto an external SSD or SD card. Phoning home remotely makes no sense.
Friends, family using Jellyfin is the reason many have it directly available (and not behind VPN for example).
They jacked their prices, or are about to anyway. If you don't have a lifetime Plex pass then Plex might not be a viable option. My seedbox provider has been pushing people to Jellyfin for anyone without a Plex pass.
I thought I had a lifetime Plex pass, but turns out I was on yearly and the price went up $20/year, so I bought lifetime before the price went up. My whole family uses Plex, I couldn't handle setting up Jellyfin for everyone and their devices.
Doesn't have a sync play feature like Jellyfin does
thanks but no. I like my privacy more
I'm not exposing jellyfin, but for sure I wouldn't let my plex server even see the internet (I bet iy wouldn't even work that way).
jellyfin is perfectly accessible everywhere it needs to be. been using a VPN on my phone for ages for all traffic.
You would be very wrong about that. You can even search open FTP servers using Google
http://palined.com/search/
OK. I'll revise. No one with any sense is doing this. "Hi, RIAA and MPAA, come after me" is an asinine approach. I realize we have at least one generation unfamiliar with Napster, KaZaa and LimeWire, which replaced ratio FTP servers (which in turn replaced F-Servs in IRC). This is terrible online hygiene. You don't leave your media out there for all to see. At least password protect access before linking to your friends.
Look at the rest of this thread though... many people are just fine with "this is FUD, I'm going to keep doing it!"
Still, posts like this raise awareness of the problem.
The typical guides for installing Jellyfin and friends, stop at the point where you can access the service, expecting you to secure it further.
Turns out, the default configuration for many (most) routers, is to allow external access to anything a local service will request it to allow, expecting you to secure it further.
Leaving it like that, is an explosive combo, which many users never intended to set up, but have nonetheless.
My Jellyfin server is behind Cloudflare with IP outside of my country banned.
I got Crowdsec set up on Cloudflare, Traefik and Debian directly.
I got Jellyfin up in a docker container behind Traefik, my router opens only 80 and 443 ports and direct them to Traefik.
Jellyfin has only access to my media files which are just downloaded movies and shows hardlinked by Sonarr/Radarr from my download folder.
It is publicly exposed to be able to watch it from anywhere, and share it to family and friends.
So what? They might access the movies, even delete them, I don't care, I'll just hardlink them back or re-download them. What harm can they do that would justify locking everything down?
Well... if "they" happen to be the rights holders or lawyers of the rights holders and they happen to enumerate their content on your system because they can guess common linux paths and likely names that their movie/show/music would appear as in your system, you're going to care real quick when the lawsuit comes.
Where I live, I have the legal right to have a copy of a film of which I have a legal version, they can watch my media library as much as they want, it's not enough to prove that it's illegal.
And hacking my server is illegal, they can't go to court by presenting evidence obtained through hacking, they would risk much more than me.
Keeping that copy on a web accessible platform that is accessible by anyone on the internet(unauthenticated) isn't covered by your rights at a bare minimum.
Depending on the content "timing" if they trigger on something that doesn't have a physical/consumer release yet... or all sorts of other "impossible" conditions. This is obviously reliant on what content you actually have on your server.
It's still something regardless that it's best not to invite.
It's as accessible as my DVD collection in my living room: anyone can get into my home without a key by illegally breaking a window.
Using a flaw in my Jellyfin to access my content is illegal and can't be used against me to sue me, period. The idea of rights holders who would hack me to sue me is just plain ridiculous.
And again, the only proof they would have could not be used in courts.
For real, you're just fear-mongering at this point.
I was sincerely hoping someone would bring some real concerns, like how one of these security breaches listed in the OP could allow privilege escalation or something, but if all you got is "Universal might hire hackers to break through your server and sue you", you're comforting me in my idea that I don't have much to fear
There is no authentication occurring. There is no "hacking" here. Nothing about scanners or bots scraping unauthenticated endpoints is illegal. This would be admissable.
Using a flaw in a software to retrieve data you should not have access to is illegal where I live, the same way as you're not suddenly allowed to enter my house and fetch my drawers just because I left a window open. I won't debate this point further.
Is the place you live anywhere in the US? If yes, then it doesn't matter because they have the money. If no, then honestly you probably actually have sane laws.
I live in France, and these are the relevant laws :
Bullshit. Notice the term is fraudulent. They are not making a bad login or accessing anything that requires authorization. There is no requirement here that simply accesses a web page is sufficient.
Again FRAUDULENT. Since it's public access, there's nothing illegal happening here. Further any company that would be scanning for this material to build a lawsuit would have the legal right to reproduce the content (eg a law-firm that was contracted by universal, sony, etc...)
It requires authentication or bypass of functioning code to be fraudulent. Making calls to apis that have no authentication cannot be illegal. This is literally how a good chunk of the internet itself works. If it was illegal the internet wouldn't exist in your country.
Edit: Just to make it clear. It's not a "flaw". The github link itself shows that the managers of jellyfin are aware of the problem and intentionally do not "fix" it as they want backwards compatibility.
https://www.legifrance.gouv.fr/juri/id/JURITEXT000030635061/
Case law from the Cour de Cassation, where the defendant was convicted, by Articles 323-1 and 323-5, of having extracted data freely following a proven failure of the protection system.
The complainant just had to show that the data SHOULD have been inaccessible, by expressing this “with a special warning” :
Translated :
In my case, the first thing you see when you arrive at my Jellyfin instance is a login form blocking your entry, and you have to go through a backdoor to access my data, so there's no ambiguity on this point.
You're wrong, period. Stop trying to debate laws interpretation of a country you don't even speak the language of.
LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.
I just happen to live in the USA. So congrats, you're wrong again. Try not to resort to personal attacks next time. You'll look much less silly.
YOUR intention doesn't matter. You don't maintain the jellyfin code. The actual code designers specifically left the endpoints open for "compatibility". There was a conscious decision for those endpoints to not require authorization, and worse, IT'S DOCUMENTED. This is not like the case you're quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc... This premise is asinine.
You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don't see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.
Oh you insufferable rawgabbit. Even in the face of definitive proof, the only thing you care about is throwing a 4 paragraphs tantrum trying to twist every single word just to not say "OK, maybe I was wrong on that thing". I'm out.
I'm insufferable? You're the one relying on personal attacks to make your point. Then run away with tail between legs when I show you 1) how it's not the same as your case and 2) how other current internet operations WOULD be the same, and there's no lawsuits in regards to those things.