FULL DISCLOSURE: Data Collection in the Process of BotNet Takedown

[ember1205 23]

8 hours ago, softworkz said:

I understand your position. I can assure you that the decision hasn't been made light-heartedly. It had been clear to us that this kind of intervention will be seen controversial, but there were reasons for why we chose to go that far and shutdown infected servers as the ultimate last resort.

I wrote an article which is detailing the decision process, I hope it will be published soon.

The decision to do what was done was self-serving. It was all "to protect the name" of the company. By intervening in this manner, Emby has attempted to convey their position as a "security company" or as of having staff that is focused on security. I promise you that this is NOT a position you want to attempt to take lightly as it will blow back on you down the road. Stepping and doing what was done and then claiming your superiority with the "How we took down a botnet in 60 seconds" headline will be seen as a challenge by the hacking community.

 

Congratulations on what you have now achieved.

[softworkz 3341]

5 minutes ago, ember1205 said:

The decision to do what was done was self-serving. It was all "to protect the name" of the company. By intervening in this manner, Emby has attempted to convey their position as a "security company" or as of having staff that is focused on security. I promise you that this is NOT a position you want to attempt to take lightly as it will blow back on you down the road. Stepping and doing what was done and then claiming your superiority with the "How we took down a botnet in 60 seconds" headline will be seen as a challenge by the hacking community.

Congratulations on what you have now achieved.

Everything you are writing is so full of hate - like only the actual hacker could be at this point...

[ember1205 23]

2 minutes ago, softworkz said:

Everything you are writing is so full of hate - like only the actual hacker could be at this point...

It's full of anger, not hate. Emby STILL has done absolutely nothing to contact users and continues to believe that they have 'notified' people through the process of shutting down their server. I work for a global software company. We work with many people around the globe to find (and fix) vulnerabilities, many times well ahead of exploits occurring in the wild. We announce these issues in conjunction with having updates available (via settings / configuration and patches if needed). We send emails. We call customers. We publish articles that trigger automatic (actual) notifications to customers through emails that they signed up for. We NEVER do anything that would disable their systems because the environments are not ours.

 

The way that this was handled was 100% WRONG. And now you're accusing me of being "the hacker"? Not only is that laughable, but it's the last straw. I'm out. I'm done with this POS software and will be seeking a refund.

[pwhodges 1538]

If your issue is with the lack of reaction to the initial vulnerability, that is justified, and Emby have, we hope, learnt their lesson.

But if your issue is with the steps they took to prevent this becoming a much, much bigger problem within days or even hours, then you are wrong.  I hope they will soon publish their reasoning behind what they did (which I have seen), and then maybe you'll understand where they were coming from.  You may still disagree, but they had a justified belief that doing it any other way than what they did would have had worse and more widespread consequences.

Paul

[Dickydodah! 128]

Quote

59 minutes ago, softworkz said:

Everything you are writing is so full of hate - like only the actual hacker could be at this point...

 

100% agree with the first comment, the second comment is stooping to the recipients level. @softworkzI feel your pain but don't lose it because of one ranting poster. You did what you thought was best in the circumstances and you will never get 100% agreement. I think you have a good deal of support as not that many are complaining out of 1,002,603 member of this forum.

[softworkz 3341]

 

2 minutes ago, Dickydodah! said:

I feel your pain but don't lose it because of one ranting poster.

There's no pain involved. It was just the answer he deserved.

[rbjtech 4313]

53 minutes ago, pwhodges said:

If your issue is with the lack of reaction to the initial vulnerability, that is justified, and Emby have, we hope, learnt their lesson.

But if your issue is with the steps they took to prevent this becoming a much, much bigger problem within days or even hours, then you are wrong.  I hope they will soon publish their reasoning behind what they did (which I have seen), and then maybe you'll understand where they were coming from.  You may still disagree, but they had a justified belief that doing it any other way than what they did would have had worse and more widespread consequences.

Paul

Agree 100% - a fully justified belief actually - as I am also part of these discussions.

@ember1205- I suggest you wait for the information to be provided - I expect when working within your global software company, you do not gather full factual information and detail from a community forum .. you may have justification to be frustrated maybe even angry, but unless you have the full facts - please stop with the comments.

Edited May 27, 2023 by rbjtech

[Scott D 62]

5 hours ago, ember1205 said:

The way that this was handled was 100% WRONG. And now you're accusing me of being "the hacker"? Not only is that laughable, but it's the last straw. I'm out. I'm done with this POS software and will be seeking a refund.

Does this mean that not only myself, but the developers will no longer have to read this rambling of nonsense and respond to the tantrum being exhibited for all to see.

If my server is shut down, the world does not stop spinning.  This is a "personal" server for the use of family and (pushing it a bit) friends.  If you are getting complaints from your "users" that have probably paid the fees you impose, then you are probably doing something wrong.

While I was not affected, I did see the warnings that popped up on my server dashboard.  Good job guys.  It got me to dig a little deeper to determine what was going on.  Seems like that is the role of a good administrator.

I agree with comments above that what I purchased when I bought a Lifetime license is that I bought a "Right to Use".  I don't own anything except that right.  I have yet to purchase any software that ownership of anything more than the media (disks) it was provide on was transferred to me.   Considering the fact that I purchased my "lifetime" license in 2016, there was a clause in the agreement that stated the "lifetime" was until such time that a significant change to the software was introduced.  In 7 years, I have seen a very significant change to the software and yet my "lifetime" license is still valid.

Developers were damned if they do, damned if they don't.  I would much rather have a developer, knowing there is a potential "hack" of my system, shut it down.  As opposed to receiving an e-mail that may go unseen for a period of time.  Even if I don't log into the server for days at a time, I am sure one of my family members would give me a call to let me know I have an issue.

I personally would like to send a "GREAT JOB" to those involved in resolving this issue.  Not everyone will be happy, but there is one Administrator out there that is extremely happy with the response and my right/privilege license to use" Emby.  

KEEP UP THE GREAT WORK!!!

P.S.  After posting this, I pulled up my e-mail receipt from the day I bought my license.  I'm am so glad they did what they did as opposed to doing nothing but send an e-mail.  Imagine my surprise when I saw this:

No warranty of suitability, functionality or support of any kind is offered in relation to this transaction. We hope you find the software useful and worth what you provided for it.

Edited May 27, 2023 by Scott D

[ebr 14949]

1 hour ago, Scott D said:

No warranty of suitability, functionality or support of any kind is offered in relation to this transaction. We hope you find the software useful and worth what you provided for it.

BTW - that is "lawyer language"  we obviously strive to support folks and want nothing but happy users - we just cannot guarantee that.

[Scott D 62]

8 minutes ago, ebr said:

BTW - that is "lawyer language"  we obviously strive to support folks and want nothing but happy users - we just cannot guarantee that.

I am quite satisfied with the experience.  The support to help me through my lack of knowledge and the unique installation set-up I am running has been exceptional.

Sure, I experience frustration from time to time.  But for the overall experience it has been well worth the price of admission.

With all of the assistance I have been provided in the past, I will jump in and assist others when I feel I have sufficient knowledge or experience.

Believe me, if I were to reach a point of feeling my return for the investment made was not paying off, I would stop using the software, close my forum account and move on to the next item.  I would not stomp my feet and say "do it my way or I'm out".

Rule I have used in my business - When threatened with a lawsuit, our conversation is over.  Talk to my attorney.  I don't want to say anything that will be used against me.  In this case, there is no threat of lawsuit, just one of forfeiture of the right to use.  Conversation over.  Have a nice day and move on.

PLEASE, PLEASE KEEP PROVIDING THE EXCEPTION VALUE I RECEIVE IN EXCHANGE FOR WHAT I PROVIDED. 

Geez, poorly attempting to write like a lawyer is giving me a headache.

[Ikario 38]

What does any of this has to do with the topic at hand?

[Scott D 62]

6 hours ago, ember1205 said:

100% WRONG. And now you're accusing me of being "the hacker"? Not only is that laughable, but it's the last straw. I'm out. I'm done with this POS software and will be seeking a refund.

I think a fund should be established (general assessment fund) where any user can contribute whatever they feel acceptable, to fund the reimbursement of the license fee to users like this to make them GO AWAY!  So long as their license is revoked and membership to the forum is revoked as well.  The value of my time saved by not having to read this babble would make it justified.

[Gilgamesh_48 945]

32 minutes ago, ebr said:

BTW - that is "lawyer language"  we obviously strive to support folks and want nothing but happy users - we just cannot guarantee that.

As you know I "fight" with you guys a lot but I do not expect that you, or any other software maker, could make such a guarantee or even imply it. If they, or you, did make such a promise  I would know that whoever made that promise was lying and it is a huge red flag. But i do use some products that make that kind of promise, I cannot avoid them, I just do not trust them.

I "trust" you guys to be a good reliable Media Manager/Streamer but I know things (sh**) happens. It is most surprising to me when things just work for an extended period of time. I find Emby to be "surprising" in that form most of the time.

I do not really like how it was handled this time but I cannot really think of other actions, in a case like this, that I would like more and I can think of a LOT of things I would like a good deal less.

When the final fix is implemented I hope it will not make my usage of Emby harder or more complex for me to use BUT I do understand the need for security.

Now that I have said something fairly nice about you guys I really really hope you do not make me eat my words.

You can easily keep me content. All you have to do is make sure I am not adversely impacted and change very little.
That is not too much to ask, is it?

[moviefan 184]

25 minutes ago, Scott D said:

I think a fund should be established (general assessment fund) where any user can contribute whatever they feel acceptable, to fund the reimbursement of the license fee to users like this to make them GO AWAY!  So long as their license is revoked and membership to the forum is revoked as well.  The value of my time saved by not having to read this babble would make it justified.

I don't think that setting a precedent for paying whiny babies is a good idea.  The guy has been a member of this forum since 2018.  So I am guessing he got 5 years out of his license.  If he wants to pout and run away let him.  Don't pay him to do so.

[lightsout 144]

On 5/26/2023 at 7:37 AM, rbjtech said:

Having the 'username' (which is hopefully not 'Admin' lol)

[softworkz 3341]

7 minutes ago, lightsout said:

Okay - now that we know your user name - what's your password? 

[Gilgamesh_48 945]

I just wanted to report that all my clients still log in just fine without having to use my password, yippee.

I was required to use my password the first time I logged in on my computer but, subsequently, I have not been asked for my password.

I have "Allow login on local network without password" enabled and that still seems to work.

At this point I believe this has been handled about as well as it could be and my usage methods have not, at least yet, needed to change.

I LIKE IT! (see Robocop)

I will keep watching for problems but, for now, everything is fine.

[lightsout 144]

29 minutes ago, softworkz said:

Okay - now that we know your user name - what's your password? 

I had to go change it lol, I did something far more advanced. (Administrator)

[Guest EmbyEbookReader]

If I am running EMBY on a QNAP NAS with LOCAL LAN only with no public Internet connection, Am I safe until the next release fixes the vulnerability?  

[guynamedbilly 13]

Just now learned about this.  I don't have a problem with the security measures you took.  As far as I can see, the only ones who would are probably using the service for illegal means and their customers are mad. 

 

Anyways, I do think it would be a good idea to send out an email to all users, because even if they were not affected by the intrusion, as I wasn't, they can know to keep an eye out.  I had no idea this had happened and was browsing the forum for an unrelated issue.  I think you should have all emails of at least the premiere users.

 

Also, it would be useful to have a page on the server menu to view administrative login attempts as well as administrative changes.  The Alerts blurb on the right of the dashboard shows failed attempts, but does not show successful ones.  If an admin has a weak password that's immediately compromised, that's no help.

[pwhodges 1538]

2 minutes ago, guynamedbilly said:

Anyways, I do think it would be a good idea to send out an email to all users,

This is a limited set, actually, because only Premiere and Connect/forum users have ever given Emby a contact email.  The majority of Emby servers are run by people that Emby has no means of contacting!

Paul

[softworkz 3341]

10 minutes ago, pwhodges said:

This is a limited set, actually, because only Premiere and Connect/forum users have ever given Emby a contact email.  The majority of Emby servers are run by people that Emby has no means of contacting!

Also, mass e-mail is not that easy these days. A number of times in the past, the forum e-mails were flagged by MS  (hotmail, outlook, ..) - just from the regular volume of the forum notifications - without sending any mass e-mails.

I don't think that it's even achievable to have a setup for sending e-mails just once in an emergency case,. Such transmissions will very likely be blocked very quickly. You'd rather need to establish regular contact be sending e-mails regularly (starting from smaller numbers and growing then).

Without having such regular path, you can never be sure whether the e-mails even arrive or are put into spam or clutter folders.

This is something that needs to be established step by step, but I hope we'll be able to do that.

[guynamedbilly 13]

Fair enough.  I'm sure the vast majority of server users aren't premiere users.  And I personally don't want regular emails either, no offence:), so you'd definitely have ended up in the spam folder anyways.

[Guest]

8 minutes ago, softworkz said:

Also, mass e-mail is not that easy these days. A number of times in the past, the forum e-mails were flagged by MS  (hotmail, outlook, ..) - just from the regular volume of the forum notifications - without sending any mass e-mails.

I don't think that it's even achievable to have a setup for sending e-mails just once in an emergency case,. Such transmissions will very likely be blocked very quickly. You'd rather need to establish regular contact be sending e-mails regularly (starting from smaller numbers and growing then).

Without having such regular path, you can never be sure whether the e-mails even arrive or are put into spam or clutter folders.

This is something that needs to be established step by step, but I hope we'll be able to do that.

You were able to update, gather data and send it over the internet, and then shutdown emby servers worldwide (yeah, I still am not very comfortable with this...), would it not be possible to have shown the same red banners that are on top of the forum right now on our servers?

What's done is done, but maybe that would be something to think of for the next time a vulnerability is discovered, a "news" section in the control panel or something like that.

[Gilgamesh_48 945]

FWIW: I am a firm believer in having backups, both content and options. I have been negligent in regards to backup app choices lately.

I made the choice to never ever use Plex again some time ago but well after I started using Emby for all my local playback. I did not make a decision of what my backup would be if Emby ever became unusable or otherwise disabled or inconvenient to use. That is a lack on my part.

After this issue cropped up (I typed "crapped" there and I almost chose to leave it that way) I did investigate some alternatives and I have found exactly one that would be good for me. That one is CH-DVR. Their interface is vastly inferior to Emby's and they do not have a Roku app, some at Emby will understand that they found that the Roku device is too under powered for their app. It is usable but not much more than that.
BTW: Anyone wanting to use "remote" features will not want to use CH-DVR as they do not have, as far as I can tell, remote functionality. However the shine in live TV functionality.

There are others like Servio that I have not investigated deeply but all other apps I have looked at fall well short of the ideal and most make Plex look friendly and easy to use.

I am sticking with Emby for now. (with a CH-DVR backup) It would take a lot more to drive me away.

My suggestion to users very upset about this is to spend some time and find out just how bad the alternatives are and then make an informed choice.

Emby is handling this about as well as can be expected and, if this actually drives users away it is the user's choice but as serious as this has been it "could" have been a LOT worse for everyone.

Thank you Emby for making hard choices and making them about as correct as they could be. Once again, thanks.