• 0 Posts
  • 11 Comments
Joined 2 years ago
cake
Cake day: August 9th, 2023

help-circle
  • You don’t have to take my word on this, but when you have so many vulnerabilities, the foundation and knowledge about security practices by the developers is missing some key ingredients.

    I use Jellyfin. I like jellyfin. I would like people to use jellyfin, but do it responsibly.

    Citing backwards compatibility is not an acceptable answer either. If individual endpoints and/or protocols (web sockets) are being addressed as separate issues, then there is no overall filter for the most basic thing as checking if the user is authenticated, you know a potential attacker will look for more.

    Will they target jellyfin instead of your average government website with a low budget and similar issues? Unlikely, but possible if the level of effort is low and can potentially create a large botnet, maybe?

    You handle these with overall filters (or whatever they are called on c#) and white lists if something truly needs not to have it instead of reacting when someone reports it.

    The simple fact that some of the code was sending api keys as GET parameters (which get logged cross every access log in the middleware on its way to the target server) and it didn’t raise any flags seems sufficient enough to suggest DO NOT expose jellyfin directly to the internet.










  • Not sure if the UK is similar to where I lived, but they were the worst “cloud” provider I’ve ever used. Want to shut down the instance you had to recreate it with a different OS? Good luck getting it back online as they are out of capacity. Also, if you accidentally deleted one of the default network components it was impossible to recreate it without incurring a cost kind of going against anything you learned about cloud computing and “infrastructure as code”. It was a glorified GUI.

    Edit: I’m just glad my current employer does not use anything oracle as their support is also famously bad.


  • Developer1: @developer2: could you take a look, I know u know stuff about this.

    Developer2: can’t reproduce. Might be able to if I get the app logs in trace level, the blood of 3 dragons and a signed autograph of Michael Jordan’s third hello world program.

    User1: here are some other unrelated logs at info level only and nothing else.

    Git bot: clozed y’all.