Nibodhika @ Nibodhika @lemmy.world Posts 0Comments 1,310Joined 2 yr. ago
I mean, yes, but there are ways around it. Windows could have a public key embebed somewhere and the private counterpart gives access, the command could depend on the time it's received, so it's never the same and without the private key it's impossible to reproduce, and the Killswitch could be non-instantaneous, combine all of that and you have a Killswitch that:
- It's very hard for you to realize something happened, because by the time it happens the trigger is lost in a sea of other requests
- Even if you were to fine comb through all of that and spot it, it's encrypted
- Even if you were to resend it it would do nothing, because the time has changed
- Even if you managed to find the public key and decrypt it the actual content could be inocuos, like a random looking string
- As long as the private key is secure enough it would be impossible to crack
- Even if you somehow managed to crack it and send anything you want to the PC you don't know the protocol to generate the random strings and you only have the one example of the message (which no longer works)
- Even if several people did this the content could truly be random (in the common sense of the word, i.e. pseudo-random), since Microsoft controls the RNG on Windows they can use that to ensure that random data gets generated equally
And I'm not even a cryptographer, people who come up with new encryption protocols can surely do a lot better than my naive example above which would make it almost impossible for someone to figure out.
I mean, he's joking, but:
AMD Drivers: yeah, this one's not a thing
Chrome: https://www.gnu.org/software/emacs/manual/html_node/emacs/EWW.html
Gmail: https://www.emacswiki.org/emacs/CategoryMail
Office 360: https://orgmode.org/
I-Tunes: https://www.emacswiki.org/emacs/itunes.el (although this one probably doesn't work)
JBL: I have no idea what it is
Muse score: https://github.com/piercegwang/staff-mode
Anti-virus: I don't know of any, but I wouldn't be surprised if someone listed a plugin for checking files
PyCharm: This is the one he said to use Vim
Remote desktop: Emacs can natively open remote files or directories
Star citizen: obviously not
Steam: Obviously not, because it's proprietary, I really wouldn't be surprised if there's a GOG plugin
VPN: https://github.com/anticomputer/ovpn-mode
There's some truth to the joke that emacs is a very complete Operating system.
He said remote desktop to iOS not from iOS, that means he needs a client on his desktop to access the server on the phone. If it was android the answer is scrcpy but I'm not aware of any such tools for iOS (since I don't own an iOS device).
AMD Drivers: if your GPU is new enough (which it probably is since you're playing Star citizen) it should be just magic here since they come together with the kernel.
Chrome: it's available for Linux, no need to switch. Although Firefox is very nice too.
Gmail: not sure what you mean, Gmail is a website, those are available on any platform. If you meant a desktop email client (which honestly I have never in my life used) there's Thunderbird.
Office 360: Are you talking about Microsoft 365? Is that not a website too? In any case Libre office is a nice alternative to the classical Office desktop app too in case you want that.
I-Tunes: A quick search online reveals people use wine to run the Windows version of iTunes, although I would probably consider migrating. Spotify has a native client and there are some places where you can buy music and have it locally for playback.
JBL: not sure what this is other than a brand for speakers.
Anti-virus: You almost assuredly don't need an anti-virus on Linux, as long as you install software through the proper channels (i.e. using the package manager) chances of virus are so small it's not something to worry about. Most Linux anti-virus serve to check windows binaries in the system to avoid someone using the Linux machine to send virus to Windows users.
PyCharm: it's available for Linux
Remote desktop to iOS: Not sure this is possible even on Windows, I use remmina for remote desktop, it supports several ways of connecting to the other device so maybe see if it works for you.
Star citizen: Never played it but it seems to be playable with Wine.
Steam: While steam is available not all games are compatible, check out https://www.protondb.com/ to see the status of any specific Steam game.
VPN: should be native on Linux, there's a protocol caller OpenVPN which most VPN providers will give you a Config file for that you can use directly on the network applet on Linux.
PS: Next time share the list in text, it makes it easier to reply
No need to apologize, it's a weird choice from Plex, I would have never guessed that this is how it works if I hadn't suffered outages myself, and I'm amazed that not many people call them out on this, it seems completely against what most self-hosting people are looking for, but they seem to defend Plex with teeth and nails.
First of all I agree with most of your a, b and c points, just would like to point out that while it's true that Docker containers provide an extra level of security they're not as closed down as people sometimes believe, but as a general rule I agree with everything you said.
But you're wrong about the way Plex works, this is a quote from their documentation:
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
If that's not clear enough:
Your security and privacy is important to us. When you have enabled secure connections on your Plex Media Server, then your streaming will continue to be secure and encrypted even when using our Relay feature. (When using secure connections, the content is encrypted end-to-end and tunneled through our Relay. The connection is not terminated on our servers and only your Plex Media Server has the certificate.)
So it's very clear data is streaming through their relay server, which goes back to my original point of I expect that to be a paid feature, it's using bandwidth from their relay servers.
As for the security again you're wrong, authentication happens on the Plex remote server, not on your local one, which is why you can't use Plex without internet (part of my dislike for them). So you connect to Plex remote server and authenticate there, you then get a client that's talking to the remote server, even if someone was able to bypass that login they would be inside a Plex owned server, not yours, they would need to then exploit whatever API exists between your home server and that one to jump to your machine, so it's an extra jump needed, again similarly to having Authelia/Authentik in front of Jellyfin.
You are, authentication on the VPS, you're relying on Jellyfin authentication against the internet. Correct me if I'm wrong, but this is your suggested setup: [home server] Jellyfin -> [remote server] Reverse Proxy -> [remote machine] users. Let's imagine a scenario where Jellyfin has a bug that if you leave the password empty it logs you in (I know, it's an exaggeration but just for the sake of argument, an SQL injection or other similar attacks would be more plausible but I'm trying to keep things simple), on your setup now anyone can log into your Jellyfin and from there it's one jump to your home server. On Plex's solution even if Plex authentication gets compromised the attacker only got access to the remote server, and would now need to find another vulnerability to jump to your Plex at home.
Putting something like Authelia/Authentik on a VPS in front of Jellyfin is a similar approach, but the Jellyfin client can't handle third party authentication AFAIK
For remote streaming they do, here are their docs on it https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
From that documentation:
So, your Plex Media Server basically “relays” the media stream through our server so that your app can access it since the app can’t connect with your server directly.
No, the article only mentions the feature by name, the docs for the feature mentions the relay https://support.plex.tv/articles/216766168-accessing-a-server-through-relay/
Using a relay server to separate online from home connection
It's not, not directly at least, and that's what everyone is ignoring here. You probably understand the value on Authelia/Authentik but you're failing to see that the Plex relay server is taking that same mantle here, so even if someone managed to compromise the relay server it's still not on your home server, whereas exposing jellyfin directly to the internet only requires one service to be compromised.
In some way is different from directly, on Plex you're behind a relay server so it's akin to being behind a VPS running Authentik/Authelia in front of the service on your home. Compromising the relay server does not necessarily compromises your home server, so it's not direct like putting Jellyfin on a reverse Proxy would be.
That exposes Jellyfin to the internet
That exposes Jellyfin to the internet, so it's not the same feature
That exposes Jellyfin to the internet, so it's my option 1.
How do you do this on Jellyfin? The only ways I'm familiar with is to expose Jellyfin to the internet or access it through Tailscale, would love to hear alternatives.
Edit: From the replies I think that either I don't understand how this feature works or many people here don't, so I'll give an overview of my understanding and explain why this is different from anything you can do on Jellyfin and what's the closest you can come.
You are running Plex-home in your house, Plex-home connects to Plex-server hosted by Plex and establishes a reverse connection that's only accessible by Plex-server, i.e. you can't access your Plex-home outside of your house. When you login on Plex you're logging in to Plex-server and if you're in the same network as Plex-home you get redirected to form a direct connection with it, if not (and for me Plex keeps failing this verification) you connect to Plex-server and every request you make gets forwarded to Plex-home and when you ask for media it gets routed through Plex-server. This is very different from exposing Plex-home directly to the internet, in order for someone online to access your Plex-home they need to have taken control of Plex-server and then they're limited by the API between those two (whichight be different from the Plex-home API) to try to escalate into your machine.
With Jellyfin there's no server side component, you access Jellyfin directly every time, so in order to access Jellyfin outside of your house it needs to be accessible for everyone. The closest you can come up with is using a third party authentication server, for example by having a VPS running Authentik/Authelia/etc and hosting Jellyfin behind that authentication. This gets you a similar level of security because someone would need to compromise your Auth and then your Jellyfin to get into your server. However I'm not sure Jellyfin clients would know how to handle a third party authentication service, and would probably just crap their pants and prevent you from logging in. You could still access it in a browser, but not on native clients like the one on your TV or Fire Stick.
If you don't have this VPS with authentication you're exposing Jellyfin directly to the internet, which means that any flaw in Jellyfin security immediately compromises your home server. And while I don't expect there to be many big or obvious flaws, there's a reason why stuff like Authelia or Authentik exists, and besides the convenience of a SSO they exist because proper authentication is hard and has many pitfalls, and they offer security in the knowledge that their main focus is authentication, whereas on most other services authentication is just one of the features they offer so it might not be as secure.
Why would you expect this to NOT be paid? It requires them to be running servers to stream the media through, I wouldn't expect this to be a free feature.
I dislike Plex for several reasons, but asking for payment for stuff that costs them money is completely justified.
Kodi and Plex do different things, both of them organize your media and give you a pretty interface to access it, but Kodi is a program running locally and Plex is a webservice that you can access remotely. Jellyfin is the open source program that does the same thing as Plex, i.e. a media server manager that can be accessed remotely through a web interface.
I mean, Factorio's early access is the middle point between now and when God of War 2 was released. Meaning that when Factorio was on early access God of War 2 was as old then as Factorio is now.
I tried Authelia but couldn't set it up, so I've been using Authentik and have been quite happy. The only downside is that I had to configure it using the GUI instead of with config files, which I think would have been a point for Authelia, but couldn't get it to work properly.