Samesies

These are all holes in the Swiss cheese model.

Just because you and I cannot immediately consider ways of exploiting these vulnerabilities doesn’t mean they don’t exist or are not already in use (Including other endpoints of vulnerabilities not listed)

This is one of the biggest mindset gaps that exist in technology, which tends to result in a whole internet filled with exploitable services and devices. Which are more often than not used as proxies for crime or traffic, and not directly exploited.

Meaning that unless you have incredibly robust network traffic analysis, you won’t notice a thing.

There are so many sonarr and similar instances out there with minor vulnerabilities being exploited in the wild because of the same"Well, what can someone do with these vulnerabilities anyways" mindset. Turns out all it takes is a common deployment misconfiguration in several seedbox providers to turn it into an RCE, which wouldn’t have been possible if the vulnerability was patched.

Which is just holes in the swiss cheese model lining up. Something as simple as allowing an admin user access to their own password when they are logged in enables an entirely separate class of attacks. Excused because “If they’re already logged in, they know the password”. Well, not of there’s another vulnerability with authentication…

See how that works?

Please to see: https://github.com/jellyfin/jellyfin/issues/5415

Someone doesn’t necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways

Fail2ban isn’t going to help you when jellyfin has vulnerable endpoints that need no authentication at all.

Jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.

https://github.com/jellyfin/jellyfin/issues/5415

The hard part is in the scripting, the retries, the back off, automation, queuing and queue management…etc

At that point I’m implementing my own bootleg TubeArchivist 😅

Oh it’s definitely an easy to read DB. But that’s still beyond the point IMHO.

If you can’t reconstruct the state of your files without 3rd party software to interpret them, then they are not in an archive format.

One should be able to browse their data using OS native tools on an offline device push comes to shove.

Yep, just like electron or Tauri. A web view wrapped in a native application.

These are very common these days, it’s the same use case and value proposition. Mainly because it’s just easier to develop UIs with web technologies that look the same everywhere, never without the app.

You do know that a pwa can be packaged up in an app container and you won’t even be able to tell the difference?

It doesn’t actually have to operate like a pwa, and require native pwa sport.

There are tons of apps that you use that are just well packaged PWAs, packaged as an app store app, and you don’t even know about it.

PWAs only suck on when they suck, just like everything else.

I got the feeling that these replies are written by ChatGPT?

More like yes please, I get better results and better customization, and no ads or paid results.

It makes my life easier and speeds my workflows up. And unlike free alternatives I almost never find myself reverting to Google.

Kagi literally documents how this works in their blog post about it: https://blog.kagi.com/kagi-privacy-pass

Perhaps you should start reading before writing?

I use jellyfin, and jellyfin is not safe to expose to the internet.

They have a handful of vulnerability and security holes that have been open for like 5+ years now. And the old emby architecture is quite difficult to work with.

And your simple command that covers all the file types supported, on any platform, is… What?

If you’re gonna bitch, and say your alternative is better, you had better cough up the alternative or your just full of shit…

In this case I run pfSense instead of my ISP provided router. This allows me to have my own DNS resolver, which I can then resolve various domains to internal addresses.

All devices on my network point to my router for DNS allowing them to resolve internal addresses from all of these.

That’s a good call out.

There are a few things I do right now:

1. All of my public DNS entries for the certs point at cloudflare, not my IP.
2. My internal Network DNS resolver will resolve those domains to an internal address. I don’t rely on nat reflection.
3. I drop all connections to those domains in cloudflare with rules
4. In caddy, I drop all connections that come from a non-internal IP range for all internal services. Additionally I drop all connections from subnet that should not be allowed to access those services (network is segmented into VLANs)
5. I use tailscale to avoid having to have routes from the Internet into my internal services for when I’m not at home.
6. For externally accessible routes, I have entirely separate configurations that proxy access to them. And external DNS still points to cloudflare, which has very restrictive rules on allowable connections.

Hopefully this information helps someone else that’s also trying to do this.

I just:

1. Have my router setup with DNS for domains I want to direct locally, and point them to:
2. Have a reverse proxy that has auto- certbot behavior (caddy) connected to the cloud flair API. Anytime I add a new domain or subdomain for reverse proxine to a particular device on my network a valid certificate is automatically generated for me. They are also automatically renewed
3. Navigation I do within my local network to these domains gives me real certificates, my traffic never goes to the internet.

It is, though the numbers are depressing.

A site like Reddit grows in its daily active users more than 15x (!!!) entire MAU base of Lemmy. “Reddit migrations” are barely a margin of error for them.

This is excluding, liberal, assumption of bot counts.

Even better, it’s now a nice database of who companies and governments can go after when they want or need to!