• 0 Posts
  • 31 Comments
Joined 3 years ago
cake
Cake day: December 14th, 2023

help-circle


  • It feels like there’s been an increasing flood of AI slop projects, with varying degrees of monetization / donations. I think it’ll become a huge problem if we don’t have at a minimum very strict rules around AI generated slop projects. I think a mandatory tag with penalty of removal is a good bottom floor, in addition to the recent community participation activity % requirements for promoting monetized projects, which covers a good chunk of AI projects.

    Then hopefully soon we can figure out as a community what to do to control the remaining volume of non-strongly-monetized AI slop projects if those are still too widespread, but having it labeled is absolutely needed transparency, and that’ll still be difficult because lots of people seem to lie about not using AI.




  • If it helps, here’s how I had my gluetun / transmission set up with mullvad (I’ve since moved to proton for port forwarding but I saved the mullvad config in case I needed to switch back):

    services:
      gluetun:
        image: qmcgaw/gluetun:v3
        container_name: gluetun
        restart: always
        cap_add:
          - NET_ADMIN
        devices:
          - /dev/net/tun:/dev/net/tun
        volumes:
          - ./volumes/gluetun:/gluetun
        environment:
          - TZ=America/New_York
    #      Mullvad
          - VPN_SERVICE_PROVIDER=mullvad
          - VPN_TYPE=wireguard
          - SERVER_COUNTRIES=USA
          - SERVER_CITIES=New York NY
          - WIREGUARD_PRIVATE_KEY=
          - WIREGUARD_ADDRESSES=x.x.x.x/32
          - UPDATER_PERIOD=24h
          - UPDATER_MIN_RATIO=0.1
          - UPDATER_VPN_SERVICE_PROVIDERS=mullvad,privado,protonvpn
        networks:
          - default
          - ingress
    
      transmission:
        image: linuxserver/transmission:latest
        container_name: transmission
        restart: always
        network_mode: "service:gluetun"
        environment:
          - PUID=0
          - PGID=0
          - TZ=America/New_York
        volumes:
          - ./volumes/transmission:/config
          - /volume1/Media:/media
    
      flood:
        image: jesec/flood:latest
        container_name: flood-sidecar
        restart: always
        command: --port 3000
        user: "0:0"
        network_mode: "service:gluetun"
        volumes:
          - ./volumes/transmission:/config
          - /volume1/Media:/media:ro
        environment:
          - TZ=America/New_York
          - HOME=/config
        labels:
          - com.centurylinklabs.watchtower.enable=true
          - "traefik.enable=true"
          - "traefik.http.routers.flood.rule=Host(`flood.example.com`)"
          - "traefik.http.services.flood.loadbalancer.server.port=3000"
          - "traefik.http.routers.flood.entrypoints=websecure"
          - "traefik.http.routers.flood.tls.certresolver=mytlschallenge"
          # This example uses "Selective Authentication"
          - "traefik.http.routers.flood.middlewares=oauth-middleware"
    
    

    Idk how zimaos works, but the way to attach containers like this is with network_mode: "service:othercontainer" which might need them to be in the same compose file (the docs aren’t clear).

    Also note that you can’t put any port mappings on a container using network_mode service, you have to put them on the other container that is handling networking since the first container is piggybacking off of the other and doesn’t have its own networking.


  • It sounds like it’s just not worth it for you, and that’s totally fine! Plenty of people get by just fine with using random streaming sites.

    Personally, I want something more reliable, I want to have copies of what I watch in my possession that cannot be taken down, and I want to share this with others so that my friends can benefit from my time investment instead of using a solution that only works for me. So that if my friends ask me “where do you get your stuff” I can offer to share with them at 0 extra effort instead of telling them “go do all these things that I already did”

    As for usage, I only watch a few hours a week myself, but I share with 15-20 friends and family who watch a collective 160 hours a month last year and around 360 hours a month this year (about 15 days of watch time per month).

    I have a fairly comprehensive arrstack, torrents and Usenet, seerr, Plex and jellyfin side by side with identical media mounts for maximum user choice, running on a nuc with quicksync so it handles 8+ simultaneous 1080p live transcodes without using much power or increasing CPU usage much more than 5-10%.








  • Yes that’s what I would like to advocate for. I did something similar with LunaSea, but often people suggest doing that with Jellyfin and are not aware that almost no apps support it, and that adding exceptions for the API makes you basically as secure as not having it. But people tend to get very defensive when you try to tell them that something won’t work, so I try to phrase it as a question to see if I can get them to understand what the limitations are in a way that’s less confrontational.


  • Yeah that’s fair and I think that’s a good move, my point is just that people are acting like this is not feasible to exploit. I’m at the point in my exploit testing excursion where I have a script that can generate a stream of potential IDs based on real torrent names being parsed and reformatted using radarr’s default naming pattern as well as the commonly used trash guides ones permuted with some common library paths used in the default docker compose examples, and it’s turning up actual ID matches with my jellyfin instance. All I have left to do is make it create API requests to test the IDs against the unauthenticated API instead of checking an exported list and there’s a proof of concept. 5 years is a long time for someone to figure that out.



  • What do you mean viable? The web UI is just an app that is delivered to your browser, it makes more or less the same API requests as an app would make, so IDK why the risk would be lower with an app?

    If an attacker can access the login endpoint for example to brute force or dictionary attack, it doesn’t matter if the web UI is or isn’t accessible if the login endpoint it uses is exposed for an app. The attacker could serve their own copy of the web UI and proxy requests to the API your app connects to. Blocking the html from being served doesn’t make a difference.


  • Do you not do any renaming? That probably would make it even easier as you can just brute force with a database of filenames scraped from torrents. I already have a proof of concept that generates valid jellyfin IDs from any given file path, it only takes a few more steps before you can plug in a shodan scan of jellyfin instances and just shotgun a bunch of IDs generated from torrents.csv at them and find stuff you can stream without authentication.

    People not bothering to rename, using the default radarr naming scheme, or everyone using the same naming pattern from trash guides just makes it easier.

    Probably the only way to guarantee nobody can probe your media and stream it without authentication is to make sure to rename everything using a format that only you use or mount all your media under a path inside docker that contains a long randomly generated folder prefix.