Out of curiosity as an owner of a QNAP NAS, how did it go out? Any signs it was in its last legs? Now that I’ve used one, the form factor is the only thing better than most options out there when I got it.

Nowadays all QNAP, Sinology and other NAS vendors supposedly offer a lot of extra value with their cloud options, but I find them a sure way to get hacked based on the average company’s investment in security (I work in IT, it is a sad affair sometimes) combined with all the ransomware specifically targeting them due to old packages they rely on = I’ll build my next system from the ground up, even if the initial cost is higher and the result is uglier.

deleted by creator

deleted by creator

Not to mention that some providers offer APIs to provide certificates without opening port(s) 80/443. This allows using nice host names on your personal domain with valid SSL over the internal network too. Want to migrate a server or service? Just change the IP associated with the domain on the internal DNS. Makes migrating and upgrading a lot easier.

You don’t have to take my word on this, but when you have so many vulnerabilities, the foundation and knowledge about security practices by the developers is missing some key ingredients.

I use Jellyfin. I like jellyfin. I would like people to use jellyfin, but do it responsibly.

Citing backwards compatibility is not an acceptable answer either. If individual endpoints and/or protocols (web sockets) are being addressed as separate issues, then there is no overall filter for the most basic thing as checking if the user is authenticated, you know a potential attacker will look for more.

Will they target jellyfin instead of your average government website with a low budget and similar issues? Unlikely, but possible if the level of effort is low and can potentially create a large botnet, maybe?

You handle these with overall filters (or whatever they are called on c#) and white lists if something truly needs not to have it instead of reacting when someone reports it.

The simple fact that some of the code was sending api keys as GET parameters (which get logged cross every access log in the middleware on its way to the target server) and it didn’t raise any flags seems sufficient enough to suggest DO NOT expose jellyfin directly to the internet.

By then you would have racked up thousands of dollars in legal fees. Not to mention if anyone posts anything negative about the current administration you could be used as an example.

We already have students on visas being kidnapped off the streets, let’s stop pretending the law actually matters for the people in power.