Nope, it wasn’t… Even then though, the game is old enough that we can no longer assume that people have even played the game anymore. Kids are using the internet that would have been born after FO:NV. There are likely some 20 year olds on this site that have never played it because they would have been too young.
Nope. I don’t talk about myself like that.
- 0 Posts
- 856 Comments
Joined 2 years ago
Cake day: June 8th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
Fallout Vegas. Load up the game and go walk through Sloan right at the start.
Exactly, even in nazi Germany soldiers could refuse to kill civilians without very harsh consequences.
Tell that to my dead great uncle. Who was a conscript (german soldier), shot and killed on a train transporting people to concentration camps.
1·5 days agoI was going to leave this alone… your original comment was correct enough that it wouldn’t matter and your “dedicated attacker” left it fine when i read it before.
but your edit has a gaping flaw. you assume that all content in the library would be physically released. lots of shows and movies are not physically released now. Can’t claim “backup” for those. The moment a movie studio finds your stuff and can map a few titles and one of them never had a physical release… your in the shit.
but yes you can be much harder to scan overall with a few steps. fail2ban is a great answer that makes it deeply unlikely to be an issue.
but i wish that they’d just fix it.
edit: OR that they wouldn’t try to go after you for distribution…
All of these “vulnerabilities”, require already having knowledge of the ItemIDs, and anyone without it poking around will get banned.
Which are simply MD5 hashes… You can precompile (rainbow tables) those. The “knowledge” here to get a valid video stream is “What path is the file on” which is pretty standardized. This is a good way to have a major movie studio’s process server knocking on your door.
you’ll have to put your Jellyfin server on the Internet.
Don’t.
“In the environment you just described”
So wheres the rest of the prompt then?
Why the fuck do we keep acting like this shit is content worth interacting with?
2·10 days agoTrying hundreds or thousands of hashes against the servers of random unconsenting people on the internet is beyond what I would be comfortable with
And installing a rootkit just because a customer put my music disc in a computer would be beyond what I’m comfortable with. However we know they’ve done it, and more or less got away with it.
Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.
While I’m sure that some of the answer is in not having dev time to fix it… Their response makes it seem like they’re not fully interested in fixing it for other reasons… In the case of this response, “Backwards compatibility”.
Sure. Now who here wants to litigate it and find out?
the prosecution may have committed a crime in finding it.
Web scanners/crawlers aren’t illegal though. And since it’s not authenticated there’s no attempt to break any security/authentication/encryption. You don’t get in trouble for finding a random URL in a google search and accessing it. You’d get in trouble if you had to bypass some security measure to get there.
The point of this all is that these endpoints have no measure in place. Seemingly on purpose, and it’s documented by the maintainers that they don’t intend to fix it and leaving it open is intentional.
You can gamble it. I won’t. I just can’t accept that “Jellyfin is better” that keeps getting pushed when big gaping problematic holes like this exist.
I’m insufferable? You’re the one relying on personal attacks to make your point. Then run away with tail between legs when I show you 1) how it’s not the same as your case and 2) how other current internet operations WOULD be the same, and there’s no lawsuits in regards to those things.
You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.
LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.
I just happen to live in the USA. So congrats, you’re wrong again. Try not to resort to personal attacks next time. You’ll look much less silly.
YOUR intention doesn’t matter. You don’t maintain the jellyfin code. The actual code designers specifically left the endpoints open for “compatibility”. There was a conscious decision for those endpoints to not require authorization, and worse, IT’S DOCUMENTED. This is not like the case you’re quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc… This premise is asinine.
You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don’t see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.
Or even just on a differently vlan that you want to go through your reverse-proxy because that is where your security features are to separate you from shit you don’t trust.
Article 323-1 : you access my server without my authorization -> 3 years of prison, 100k€ fine
Bullshit. Notice the term is fraudulent. They are not making a bad login or accessing anything that requires authorization. There is no requirement here that simply accesses a web page is sufficient.
Article 323-3 : you touch my data in any way -> 5 years of prison, 150k fine
Again FRAUDULENT. Since it’s public access, there’s nothing illegal happening here. Further any company that would be scanning for this material to build a lawsuit would have the legal right to reproduce the content (eg a law-firm that was contracted by universal, sony, etc…)
It requires authentication or bypass of functioning code to be fraudulent. Making calls to apis that have no authentication cannot be illegal. This is literally how a good chunk of the internet itself works. If it was illegal the internet wouldn’t exist in your country.
Edit: Just to make it clear. It’s not a “flaw”. The github link itself shows that the managers of jellyfin are aware of the problem and intentionally do not “fix” it as they want backwards compatibility.
I was testing a 2fa based one the other weak and jellyfin was the service I decided to test with. Ultimately didnt like it so I rolled ot back.I’d have to go look it up to get you a name.
Look at the rest of this thread though… many people are just fine with “this is FUD, I’m going to keep doing it!”
Still, posts like this raise awareness of the problem.
deleted by creator
There is no authentication occurring. There is no “hacking” here. Nothing about scanners or bots scraping unauthenticated endpoints is illegal. This would be admissable.
No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.
Edit: The biggest issue of unauthenticated streaming of content… https://github.com/jellyfin/jellyfin/issues/13777
Last opened last week. closed as duplicate. it’s unaddressed completely.
Well… You’ll at the very least wish that you had a car.
But it’s a good game. Try it. Find out. :)