FULL DISCLOSURE: Data Collection in the Process of BotNet Takedown

[softworkz 3341]

4 minutes ago, Gilgamesh_48 said:

10 minutes ago, pwhodges said:

I'm sure that Emby don't want to impose unreasonable requirements on users; but they want to have more secure ways of providing convenience, safer defaults, and warnings if users select options which are considered bad practice.

Paul

All that say is that Emby is entitled to control their server that is running about as completely isolated as possible with no remote access at all. That is the act, as I said before, of a bully and I dislike being bullied.

Emby is still the best media server but "solving" this issue by forcing unaffected systems into Emby's pattern of use dropps them down a bit.

I think that Emby is the last software on the planet where you can have admin accounts without password. What's more likely - that Emby is using outdated insecure patterns or are all the others wrong? 

[Gilgamesh_48 945]

1 minute ago, moviefan said:

Requiring a password to perform administrative activities is simply good security.  Having the option to not use a password for the admin account was a bad idea to begin with.

I can't imagine you are regularly administrating your server via your streaming devices.  I assume you are doing this with a browser.  And in the case of a browser, you simply have to check the remember me checkbox after typing in a password one time, and the cookie logs you in for future browser sessions.  So, you have to type a password one time.  This really doesn't seem very onerous to me.

So you are better able than me to decide what is proper on my systems? That is BS. I have security and I live totally alone and I have a nearly totally secure router. I see you have aims to be in government.

You are free to disagree with me and I am free the other way but it is WRONG to try to dictate to others.

[softworkz 3341]

4 minutes ago, andrewds said:

Well I know it certainly doesn't apply to anyone here but I'm sure there is a non-trivial number of people concerned about the felonious amount of illegally obtained content that might be exposed via data collection.

Which data collection are you referring to?

[pwhodges 1538]

It is also irresponsible and wrong to continue to supply software with a known insecure setup.

Paul

[andrewds 98]

1 minute ago, softworkz said:

Which data collection are you referring to?

The data collection that you have considered implementing that people can opt in to but never have because it's not well received. The thing you commented that I quoted to respond to.

[justinrh 175]

1 minute ago, pwhodges said:

It is also irresponsible and wrong to continue to supply software with a known insecure setup.

And softworkz admitted it has been like this, and forever, right?  That post might need to be deleted. 

 

[Gilgamesh_48 945]

2 minutes ago, softworkz said:

I think that Emby is the last software on the planet where you can have admin accounts without password. What's more likely - that Emby is using outdated insecure patterns or are all the others wrong? 

You are totally wrong. I can and do administer Windows 10 without passwords. I can and do administer several other systems without a password. The only place I need to use passwords, and that makes sense, is when i go to a website for tasks.

The last time I had to enter a password for a local task was to unlock a utility I use.

If mt local system gets hacked it would mean that someone has broken into my home and then I have a lot more problems than the hack could ever create.

[pwhodges 1538]

1 minute ago, justinrh said:

And softworkz admitted it has been like this, and forever, right?  That post might need to be deleted. 

You will also note he added a (+1) to my comment!

Paul

[softworkz 3341]

4 minutes ago, andrewds said:

6 minutes ago, softworkz said:

Which data collection are you referring to?

The data collection that you have considered implementing that people can opt in to but never have because it's not well received. The thing you commented that I quoted to respond to.

Sorry, I had not seen that I was quoted,.

But no, no,  no and no  

I wasn't even engaged with Emby at that time. It wasn't considered, it was actually implemented, IIRC ir was opt-out). At that time Emby was still open source, so there was no concern about content info collection. It was just minimal data IIRC, but it wasn't liked.

@Luke may correct me where I'm wrong. 

[softworkz 3341]

9 minutes ago, justinrh said:

14 minutes ago, pwhodges said:

It is also irresponsible and wrong to continue to supply software with a known insecure setup.

And softworkz admitted it has been like this, and forever, right?  That post might need to be deleted. 

The risk assessment was wrong and blindsighted. We know that and there's no point in hiding anything about it. 

Edited May 27, 2023 by softworkz

[softworkz 3341]

37 minutes ago, justinrh said:

42 minutes ago, softworkz said:

we don't hear anything from your server anymore unless you loosen user security or get infected again

Hold on pa-pa.  How do you know if I have loosened security or are infected (again) if reporting was a one-time action? 

The detection is running each time your server starts. When it doesn't detect anything, it doesn't report anything.

Reporting means the procedure of invoking a URL to which it is posting the data.

[Gilgamesh_48 945]

5 minutes ago, softworkz said:

The detection is running each time your server starts. When it doesn't detect anything, it doesn't report anything.

Reporting means the procedure of invoking a URL to which it is posting the data.

The more I hear and the more it gets rationalized the more I dislike where this is going. It has become clear that those of, admittedly in the minority, that do not want or need security are going to be forced to use it and it does not matter if we want to use it or not.

Users want/needs are only being met if those wants/needs fits with Emby's agenda.

I am done with this thread, the bullies have won. That should please some people.

[softworkz 3341]

35 minutes ago, Gilgamesh_48 said:

I do not want to do that as I am my only user and therefore I do not need or want another. If I am using my computer I might want to watch content or I might want to perform admin tasks and I do not wish to switch users just for that and even then I would, under current plans I think, still have to enter a password for the admin user. So that really would solve nothing for me. In fact it would increase complications.

The situation is not as bad as it might seem to you now.

We want to phase out accounts without password and the "don't require password in local network" altogether.

But of course that won't happen without an appropriate replacement. We want to eliminate accounts with empty passwords, but we don't want to take away the ability for users to log on without entering a password. It will just be done in a different way.

The only little inconvenience that might affect you could be that passwordless admin accounts are tightened first, maybe before the alternative is available, but you'll likely be able to control this a bit by delaying server updates.

In summary, there's nothing bad for you to expect and no reason to get upset right now..

[CHBMB 2]

I think I've hit a bit of a roadblock for my usecase with the recent update.

I run Emby in a docker-compose stack behind traefik, and now when I review my admin account, my internal network clients are showing as all coming from the same ip address, which is the ip address of the traefik container.  Presumedly as the headers that led to the security vulnerability have now been removed.  Clients logging in from WAN are however, still showing a correct client IP address.

My Emby container is set with the IP address of the docker host, 10.x.x.1 and my LAN setup is that of 10.x.x.0/24 

I do use "don't require password in local network" for my account and accounts for my children, so we can use Emby and flick between profiles easily, but my kids aren't going to be able to enter a password each time at their current age, especially as I have secure randomly generated passwords, and no desire to change this practice, now that I have 

Neither of these accounts are admin accounts, I have a separate admin account I use from my laptop only.

Rolling back my Emby server version to 4.7.11 and the correct client IPs are displayed and everything works as expected.

Whilst I appreciate there's a need for change here, please make things configurable so those of us that wish to change the default options can still do so, you clearly have a responsibility to secure Emby, with sane defaults, but allowing some configurability, with warnings if necessary would be helpful.

[Gibberish 1]

1 hour ago, moviefan said:

Requiring a password to perform administrative activities is simply good security.  Having the option to not use a password for the admin account was a bad idea to begin with.

I can't imagine you are regularly administrating your server via your streaming devices.  I assume you are doing this with a browser.  And in the case of a browser, you simply have to check the remember me checkbox after typing in a password one time, and the cookie logs you in for future browser sessions.  So, you have to type a password one time.  This really doesn't seem very onerous to me.

Some clients require (FireTV for example) require that you input the password\pin each time you try to switch to accounts that don't have local password skip. Not sure if this is a client or OS\system limitation.

As I said somewhere else, if they add some more housekeeping actions as user options (ex. episode\season metadata refresh not edit) then I'd wager that most users wouldn't have usability issues with a non-admin account. Like it's weird that a non-admin account has the option to delete media (destroy file) and download subtitles (add file), but they can't refresh stale metadata (update file if using nfos). And before someone points out the auto refresh options, yeah no, there's too many hijinks happening over at the TVDB to make anything more than an okay option.

Edited May 28, 2023 by Gibberish

[softworkz 3341]

6 minutes ago, CHBMB said:

Whilst I appreciate there's a need for change here, please make things configurable so those of us that wish to change the default options can still do so, you clearly have a responsibility to secure Emby, with sane defaults, but allowing some configurability, with warnings if necessary would be helpful.

That makes sense in general, but we cannot provide a configuration switch that "turns on" a vulnerability as big and severe as this one.

[softworkz 3341]

10 minutes ago, CHBMB said:

I run Emby in a docker-compose stack behind traefik, and now when I review my admin account, my internal network clients are showing as all coming from the same ip address, which is the ip address of the traefik container.  Presumedly as the headers that led to the security vulnerability have now been removed.  Clients logging in from WAN are however, still showing a correct client IP address.

My Emby container is set with the IP address of the docker host, 10.x.x.1 and my LAN setup is that of 10.x.x.0/24 

I don't know much about Docker, so I'm not sure how it comes that requests from local IP addresses don't seem to get through directly to the docker container?
Is there some reverse proxy configured?

If yes, then the local network request need to get directly into the container, not through a RP.

[arrbee99 1561]

I never had a password for Admin. Now I do. I think I've survived the trauma...

I can even remember it - so far.

[TMCsw 123]

I’m not sure why this has become such discussion about password protection? When none of this would have happened if emby would have eliminated the 127… vulnerability shortly after it was identified ~3 years ago.

[Gibberish 1]

23 minutes ago, TMCsw said:

I’m not sure why this has become such discussion about password protection? When none of this would have happened if emby would have eliminated the 127… vulnerability shortly after it was identified ~3 years ago.

What's done is done. There is at least a possibility of getting use cases in front of the dev team before the same voices that were saying "big effing deal" to the issue three years ago, drown everyone else out.

Edited May 28, 2023 by Gibberish

[Thomas64 38]

Just wanted to say THANK YOU to the Emby Team for working to eliminate this threat.

I have no issue trusting that you handled the situation in the best way possible - being you are the Owners/Creators/Maintainers of the software and knew the details of what was happening.

I'll reserve my anger for the non-ethical hackers that continue to exploit venerabilities for personal gain rather then work to the greater good of patching them.

Some individual Media Servers got temporarily shutdown to protect the community and software as a whole.
Frustrating and inconvienient, no doubt.
I'd rather that happen then of had this morph into peoples financial records/funds and/or identities being stolen, if not worse. (Knock on wood.)

Another take on the whole password topic. Not that it is needed!
I currently live alone as well, with no remote Emby access - but I have different accounts setup on my installation of the Server.
For me - it protects me FROM me! LOL

There is one single Admin enabled account that is hidden from the log in screen, and requires a password.
None of the other accounts can delete or modify - except for TV recordings.
This prevents me from accidentally doing anything I didn't mean to do with the other accounts.

I have a guest account (no password) for guests (physically staying in my home) that does not have access to more personal items. Any extra authorities beyond playing media has been removed from this account - including managing TV recordings.

I have the everyday account (password required) I use that has access to all the managed media, and lets me manage/delete TV recordings.

Using the security features of Emby can actually benefit you outside of the black/white stance of making your installation more hacker proof...

Not trying to offend anyone here.. Just another viewpoint.

[jl5437 1]

So... you guys have the ability to remotely disable your software eh? Was this only for paid Premium members servers or for everyone's? Even for those that were not open to the internet?

I thought Emby was a self hosted thing, user side for full manageability and control, and not like Plex where they tie it into online web hosting SSO account and control for remote access etc.   From the OP, they used the auto update to force detect and inject the shutdown trigger. 

Well, this is frustrating, but not surprising these days. Seen many a product or service rendered a brick/useless with the normal software or OTA update process, thanks to the company/service shutting down or changing business models.

At least you did so for the sake of stopping a hack/takeover of users home servers.

However, good intentions and necessity aside, I do not like that this was possible for the devs to do. 

I recently upgraded my Home Media Server, and had not yet installed Emby server yet...only knew of this issue after just now seeing an article about it on my Apple news feed. 

My things i do not expose to the internet via port forwarding or PNP, instead i use Wireguard VPN on my mobile device to access my home network. So, my old server probably never got attacked by this event. 

Edited May 28, 2023 by jl5437

[moviefan 184]

Replied to @Gibberishand his nonsense but @seanbuffdeleted my post because I said one swear in it which is ridiculous.  @seanbuff you are a terrible moderator and should be fired. @Gibberishyou are a moron and know nothing about computers or networking or security.

[seanbuff 842]

1 minute ago, moviefan said:

Replied to @Gibberishand his nonsense but @seanbuffdeleted my post because I said one swear in it which is ridiculous.  @seanbuff you are a terrible moderator and should be fired. @Gibberishyou are a moron and know nothing about computers or networking or security.

Gibberish was not even the person you were quoting. Your post contained nothing meaningful. Settle down.

[Abobader 2954]

@moviefan  We do not allow this type of attacking to other members, but you went a head and start attacking our mod's team

I disable your post for today as a warning, if this happens again, you risk a ban on your account.

This for any member whom start to attack another members or the mod's team here.