twhiting9275 11 Posted May 25, 2023 Posted May 25, 2023 (edited) Take away what works perfectly, make it harder to do. I'm referring, of course, to local logins. There is zero excuse. NONE, for requiring passwords on local accounts. I should be prompted, maybe ONCE, to login to a local TV device, sync my account, then be able to switch between accounts freely Sadly, Emby , in it's poor security manages to require individuals to now login with username and password , if the password exists, admin user or not. This is 500 ways from wrong, but of course, keep on trying to justify poor development and login practices. -1 premiere sub here. You just made things far more difficult than they have to be Edited May 25, 2023 by twhiting9275 5
twhiting9275 11 Posted May 25, 2023 Author Posted May 25, 2023 (edited) Since I cannot edit , I will clarify a few things: 18 minutes ago, twhiting9275 said: on local accounts. by local accounts, I mean accounts (any) available to login, while on the local network. If I'm logging in via cell, or whatever, by all means, require a login, and you should. HOWEVER, If I (or anyone) is logging in from local network, that's usually going to be TV (which is incredibly horrific to use an on screen keyboard) or PC (which relies on password manager, so that's fine) . 18 minutes ago, twhiting9275 said: able to switch between accounts freely Once I've authenticated (just the one time), I should be able to switch accounts without having to re-enter passwords, go to emby connect or some other garbage The problem here is quite simple. People are easily frustrated, and you need to dumb it down as much as you can. Requiring accounts to continually login like this , only causes issues . Even simply telling them to login using emby connect isn't going to solve the issue, because, simply put, the process is quite convoluted. It would be fine if this was a once off process (a-la Plex), but it's not. It's an every time you login to the media center process. Keeping the account logged into the device isn't an option either. Multiple people use multiple accounts on the same device. Using the switcher simply tells people to re-enter the password. Simply put, this once easy process just got massively convoluted, because .... Emby Edited May 25, 2023 by twhiting9275
pwhodges 2012 Posted May 25, 2023 Posted May 25, 2023 Making admin accounts accessible password-free is simply bad practice anywhere. Why would you even want to use a TV to administer the server? Do that on your desktop or tablet. Paul 4
CaseyP 17 Posted May 25, 2023 Posted May 25, 2023 You can setup non-admin accounts to use a pin locally. 4
twhiting9275 11 Posted May 25, 2023 Author Posted May 25, 2023 (edited) 1 minute ago, pwhodges said: Making admin accounts accessible password-free is simply bad practice anywhere. Just now, CaseyP said: You can setup non-admin accounts to use a pin locally. I should never need two separate accounts. Didn't do so with Plex, shouldn't need that here either Edited May 25, 2023 by twhiting9275
CaseyP 17 Posted May 25, 2023 Posted May 25, 2023 1 minute ago, twhiting9275 said: I should never need two separate accounts. Didn't do so with Plex, shouldn't need that here either So you want to use your admin account, at all times, even on a tv where theres no need, and you want that account to have no security on it after its been verified its "you"? Ya, I'll be that person.. maybe going back to Plex is the right path for you. 2 1
pwhodges 2012 Posted May 25, 2023 Posted May 25, 2023 3 minutes ago, twhiting9275 said: I should never need two separate accounts. Didn't do so with Plex, shouldn't need that here either Separating user and admin accounts is a basic tenet of system security. Paul 6
RanmaCanada 495 Posted May 25, 2023 Posted May 25, 2023 Sounds like someone has no idea how to do security and the reasons why. 2
MBSki 1114 Posted May 25, 2023 Posted May 25, 2023 1 hour ago, pwhodges said: Why would you even want to use a TV to administer the server? Do that on your desktop or tablet. That's a good question, but then again why did Luke add all those server settings to the TV layout of the app? 1 1
twhiting9275 11 Posted May 25, 2023 Author Posted May 25, 2023 2 hours ago, RanmaCanada said: Sounds like someone has no idea how to do security and the reasons why. Security? No. this has nothing to do with "security". Except for the fact that EMBY cannot handle that properly at all I shouldn't need two separate users for a media player. Nor should it be required. It wasn't with Plex, and it isn't anywhere else. The problem is that Emby devs cannot handle things properly, as noticed over the past few weeks. This is only one in a rather large selection of things. Allowing plugins admin escalation is just bad on every single level, and NEVER should have been done. Instead of address that gaping flaw , though, let's just make life harder on customers, like we always do, right? Pathetic
richt 94 Posted May 25, 2023 Posted May 25, 2023 15 minutes ago, twhiting9275 said: I shouldn't need two separate users for a media player. Nor should it be required. It wasn't with Plex, and it isn't anywhere else. "isn't anywhere else" - Two separate users for admin and user functions is fundamental to the Linux OS.
pwhodges 2012 Posted May 25, 2023 Posted May 25, 2023 20 minutes ago, twhiting9275 said: I shouldn't need two separate users for a media player. Nor should it be required. It wasn't with Plex, and it isn't anywhere else. Quite so - but administrating a server is not the same as playing a video. The way that major systems have made it too easy to do everything with minimal security (even Windows, which at least tries to make it inconvenient at times) has been a significant part of why systems are still so frequently hacked, with devastating results for those who lose all their money (or in the most extreme case I know of, their home as well) as a result. Obviously neither you nor Emby is specifically guilty in the case of exploits elsewhere; but what is required is a more serious attitude to security at every level, throughout society, so that it becomes an ingrained habit - for everyone, not just for those nuisances of IT admins at the office. And good habits start at home. Also, read up about the Swiss cheese model. You blame Emby for this problem, not without justification, but just think - people whose admin accounts were already securely set up were not affected by this vulnerability. By being smarter about security, you have a better chance of being out of the firing line when the next program is found to have an exploit. Paul 1
HawkXP71 112 Posted May 25, 2023 Posted May 25, 2023 The only thing I would like to see, is possibly the option to say "Only allow administration from XXX clients", so you could make TV logins less secure because they have no admin rights.
Gilgamesh_48 1240 Posted May 25, 2023 Posted May 25, 2023 I do not have any local security to speak of at all and I feel that I am completely secure. Or at least as close as is possible in the current computing world. But I, probably, am in an unusual situation I guess. I have all outside access blocked and there are no other people that can even get to my servers. I do use secure email addresses and I do have a VPN that I use but that is to prevent outside hacks. My dog is not allowed any computer use at all so he is not a potential problem. I believe that "security" is unimportant and even intrusive for situations like mine and I believe that people should be allowed to have or not have any security they desire. It is NOT Emby's place to force security on users but it is their place to allow all the security anyone wants to use. I "should" be allowed to have no security at all or to have security so tight that I have to have some form of "cheat sheet" just to keep track of my user names and passwords. Linux should NOT force security, Windows should NOT force security. Emby should not force security. Being forced to use security in any form is anti-freedom but being forced the other way is every bit as bad. If I ever get hacked locally it will have to be someone that has broken into my house and the fact of my network or my computer being hacked would be the least of my problems. Maybe there should be a single setting in all apps, including Emby, that says "remove all security." I just want to use my system(s) and not have to worry about security. My security is all taken care of by good deadbolt locks, a large dog and a good firewall on my router. I won't say "I cannot be hacked" but it is very close to that situation and I do not like it at all when I am forced to type passwords or user names when sitting at my own computer or accessing my clients. It is a user choice to use or not use security and should never ever be forced or even coerced in any way. Allow local security but do NOT force it!! That is unless you think it is your job to force users to do as you wish. That is the government's job not yours.
richt 94 Posted May 26, 2023 Posted May 26, 2023 (edited) 6 hours ago, Gilgamesh_48 said: Allow local security but do NOT force it!! I understand and sympathize with your comments. I too do not expose any of my local devices or applications directly to the Internet and in that alone have mitigated much of the risk for my home network. However, not all Emby users are so inclined and as recent events have shown, many do not take even the most basic steps to protect their application and home network. So it does indeed fall back on application vendors to think about deploying apps with a default configuration that addresses the lowest common denominator, the end user that takes NO action to secure their hosting environment. Indeed the vendors have to as any breach, even if it is not a shortcoming in their code, reflects poorly on them and their product. It is then up to the rest of us that are comfortable identifying the risk level we are willing to accept, to adjust the application configuration accordingly. Edited May 26, 2023 by richt 1
darkassassin07 652 Posted May 26, 2023 Posted May 26, 2023 (edited) In a circumstance like this, I appreciate the emby team applying changes to servers to ensure they have better security, particularly for those that take no action to do so themselves, as well as just to bring attention to the situation; however, as users/server operators we should be allowed to assess the situation and apply our own desired settings after the fact. That is to say, while it's great admin accounts were adjusted initially; I'm not happy that I can't now go re-enable pin access (it turns itself back off), or even password-free access if I was so inclined. I don't agree with forcing local users to use long complex passwords, rather the detection for local vs remote access should be improved (which it has, with the changes to how x-forwarded.... headers are handled), so this forced settings change shouldn't be necessary. That being said, I can also understand just quickly pushing out a fix to mitigate any potential damages, then sorting out the finer details once the hole is closed. I can't imagine the emby team wanted to leave this open any longer than necessary. I'll be patient for a bit and see how things develop. Edited May 26, 2023 by darkassassin07
moviefan 187 Posted May 26, 2023 Posted May 26, 2023 9 hours ago, Gilgamesh_48 said: If I ever get hacked locally it will have to be someone that has broken into my house and the fact of my network or my computer being hacked would be the least of my problems. Just want to point out here that regardless of whether you allow direct external access, there are still multiple vectors that an adversary can use to infiltrate your network remotely by tunneling back over your outbound connections. These include such vectors as phishing emails, malicious websites with o-day exploits, and updates to your installed software which contain malicious code embedded in the supply chain of the application developers. I don't disagree with your point about security being a user choice. But your certainty of security by not having open public ports is a bit naive. 2
Gilgamesh_48 1240 Posted May 26, 2023 Posted May 26, 2023 9 hours ago, moviefan said: I don't disagree with your point about security being a user choice. But your certainty of security by not having open public ports is a bit naive. I use email filters to totally prevent any malicious emails from ever getting to me and the first time I visit any sight I use a browser with settings that does not allow any code downloading or execution. Also I never ever just "browse" the web. I only use software that is totally trustworthy and I take nothing for granted. I never ever use email links to access network sites. I directly enter addresses into my browser even for verifications etc. I firmly believe that the only way into my network is a direct connection by exploiting my wireless network and that is about as protected as it can be, While it is true that there is no 100% protection against hacks I believe that my network and browsing actions and email protections are about as good as it can reasonably be. People should take precautions against being hacked and I have done so but it is often people are so paranoid that they over protect their network and computer and therefore cause problems. I might be truly vulnerable somehow some way but I believe that I have closed and locked all doors into my network and protected the keys as well as possible. The only reasonable way into my network would be externally connected to my wireless network and breaking my router's security and that would be nearly impossible to do in a short time and, since I life rural and it would require quite a bit of time and I am just not worth it. I am only close enough to two neighbors to have them even see my wireless network. I just do not see any reasonable way I could be hacked externally. I am not naive about network security but the security I have is actually overkill and I am sure I could have even less. BTW: If i could have a totally wired network I would but as I do not really trust wireless networking but there are too many useful tools, like cell phones and my Fire stick and others to just not use wireless. There are many other precautions I take so I am not naive at all. But I think those that obsess over security are.
moviefan 187 Posted May 26, 2023 Posted May 26, 2023 (edited) 23 minutes ago, Gilgamesh_48 said: I use email filters to totally prevent any malicious emails from ever getting to me and the first time I visit any sight I use a browser with settings that does not allow any code downloading or execution. I don't want to get into an argument here but just pointing out again - there is no such email filter to "totally prevent any malicious emails" and browser settings not allowing downloading or code execution only work if the browser software isn't vulnerable to a 0-day exploit that bypasses those settings. I've worked as a CISO for over a decade and in cybersecurity for more than 20+ years and the mentality you are espousing here of not being at risk because of x & y is the mentality that has led to many breaches. There is always risk. I applaud you being vigilant to try and protect yourself. You likely aren't a big target so most likely you will be fine. Just lower the certainty a bit would be my advice. Edited May 26, 2023 by moviefan grammar 1
Gilgamesh_48 1240 Posted May 26, 2023 Posted May 26, 2023 @moviefanI know nothing is perfect but you might want to look at Proton mail as, so far and I've had it for a couple of years, I have seen no problems. I feel safe as I am not important enough to be targeted so it is only casual hacks that could be a problem. I also as I said before never click on email links that come in unsolicited emails and, those that I ask for, I make sure that the link agrees with the source. What I have is not appropriate for most people but I feel I am safe and your trying to convince me I am not will not work. 1
pwhodges 2012 Posted May 26, 2023 Posted May 26, 2023 10 minutes ago, Gilgamesh_48 said: I feel safe as I am not important enough to be targeted Hardly anyone is targeted - mailings are sent out to lists of addresses which have been accumulated, and sometimes added to by simple guesswork. Ports are scanned for without regard to who or where, etc. As moviefan said, you'll probably be fine - but don't let complacency creep in. Paul
twhiting9275 11 Posted June 3, 2023 Author Posted June 3, 2023 On 5/25/2023 at 2:27 PM, pwhodges said: Obviously neither you nor Emby is specifically guilty in the case of exploits elsewhere; but what is required is a more serious attitude to security at every level, throughout society, so that it becomes an ingrained habit - for everyone, not just for those nuisances of IT admins at the office. And good habits start at home. No, just no. This is what leads to every place ever requiring 2FA, their own brand/version of it, forcing email checks, phone number checks, video checks, you name it. Just no. Emby is a streaming application. IF something (say, a plugin) can take advantage of an admin account to cause nefarious activity, then it's not the admin account's fault. It's the developer's fault. it's just that simple. Applications should be designed so that this type of escalation isn't possible, and not by forcing people to use passwords to watch a damn show on television app! In the years I ran Plex, I had ONE account on that server. ONE. Just the one. How many times did I have to login? Rarely, which is fine. Then, I actually used Plex's login system to get in, no worries. With Emby, it's completely opposite . EVERY TIME you exit the application, you're forced to log right back in. Switch accounts? Enter your password. Exit the app? Enter your password. This is completely inappropriate for a streaming application, and unacceptable. 2
darkassassin07 652 Posted June 3, 2023 Posted June 3, 2023 (edited) 6 hours ago, twhiting9275 said: EVERY TIME you exit the application, you're forced to log right back in. Have you ever considered checking the 'remember me' box on the login screen of literally every single app emby provides? The only time I have to enter my password is when logging in to a brand new device, or when logging in to a communal device that multiple users use (ie I don't want it to remember me). Even then I typically use the pin option, which Luke has said is only temporarily removed. My phone for example: I've had to enter my emby password twice in its lifetime (just under 2 years), once for the android app, once for the web app. If that is not working for you; perhaps submit a bug report instead of ranting about losing customers you, over a nonexistent issue for most people. Seamlessly switching users/remembering multiple user logins is a seprate feature emby just hasn't implemented yet. Edited June 3, 2023 by darkassassin07 2
Gilgamesh_48 1240 Posted June 3, 2023 Posted June 3, 2023 10 hours ago, twhiting9275 said: No, just no. This is what leads to every place ever requiring 2FA, their own brand/version of it, forcing email checks, phone number checks, video checks, you name it. Just no. Emby is a streaming application. IF something (say, a plugin) can take advantage of an admin account to cause nefarious activity, then it's not the admin account's fault. It's the developer's fault. it's just that simple. Applications should be designed so that this type of escalation isn't possible, and not by forcing people to use passwords to watch a damn show on television app! In the years I ran Plex, I had ONE account on that server. ONE. Just the one. How many times did I have to login? Rarely, which is fine. Then, I actually used Plex's login system to get in, no worries. With Emby, it's completely opposite . EVERY TIME you exit the application, you're forced to log right back in. Switch accounts? Enter your password. Exit the app? Enter your password. This is completely inappropriate for a streaming application, and unacceptable. The only time, so far at least, I have had to login has been when I switch either servers or users. The recent security problems have, probably, caused some login issues but I have not seen any and the post by @darkassassin07 addresses that issue for most. If you still are being forced to login then follow the instructions in "How to summit a question" and report it as a potential bug. BTW: I use Rokus, Fire TVs, Shield TV and computers and they all work as well as ever. Most of the time,, except when accessing my backup server, I do not even see a login screen on any of my devices.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now