Thank you for catching me up.
You’re using my Docker-overlay-native setup?
This just got easy.
Going to trick the docker container by first getting the native package working (since it’s the same data files)
- Stop Docker plex
- Uninstall native PMS plex app – KEEP (which is the default) action
- Reinstall the same SPK again
– Plex Claim Token option
– Get the token
– COPY
– PAST back into the form. - Next & Done
- Let it start
Now open the Syno via the http://lan.ip.of.syno:32400/web
that should get it back to your Native app install.
Once this is done, Stop the native app, start the docker app
I was thinking I might need to do that. Seems more complicated but what the heck…
Generate a new token or use the one I used last time?
OK, another question: Am I installing using the Package Center? Or do I need to download some SPK file? Because after uninstalling all I see is Plex Media Server Join Beta.
I’ll report back the results.
Tokens are single use and expire after 5 minutes anyway if not used.
OK, but where do I re-install from? It says Join Beta in the Package Center.
Let me look which version you had.
NEVER use “Package Center” BETA
Manual install the last version you installed again.
I don’t think I have the package to manually install anymore.
I agree with you however if the tokens were compromised then there really is no alternative other than force resetting at least all tokens that had been generated up until the time of the breach.
In my example I manually removed all Allowed Devices from my server after resetting my PW, however anyone I shared my library with that has a compromised token can still access my server via that token. So in theory I also need all shared users to sign-out all devices on their side to eradicate any compromised tokens with access to my library. Which is a tall order and I would much prefer Plex just force the issue upon them so that I can be sure all exposed tokens with access to my library are breached.
If I am misunderstanding something related to the tokens of accounts with shared libraries I would love clarification. The silence to my questions has led to me believe I am correct that this is indeed an issue.
I don’t disagree, but I also don’t think Plex could handle the flood of people who will be angry about loosing access to their servers “without warning”. I doubt most people would actually read an email about a full reset, at least not the one’s who haven’t already taken measures by themselves.
Let’s say I’m Mr. Hacker and I have one of those compromised tokens from some user of my Plex server. I can now access that server using that token. What real damage can I honestly do? What? Watch some videos? I can’t delete them. I can’t change the server’s configuration. I can’t steal any credit card information or really any personal information.
Wouldn’t the token let a client access the server as an approved client though? My Plex Desktop app can change server settings and mess up my library. Maybe I don’t understand what the tokens do. 
E: In the case of a external user/friend with read access, I agree, it’s not as critical.
1 Like
If you only have the access token of a shared user (who doesn’t have his/her own server), then yes, you cannot cause more than annoyance.
If you however have an access token of the server owner, you can do many things the server owner can do. Enabling sharing, enabling media deletion (and thus actually deleting media), inviting other users etc.pp.
But despite the limited threat in the first case, it is good practice to make the potentially-leaked tokens totally unusable by revoking them.
There is always the chance that some genius hacker could find a more sinister use or use them together with a hypothetical future bug/leak of something else.
Why take the risk?
None of my neophyte users run Plex servers, cept one, and he’s already changed his password.
Sharing’s already enabled no? I’ve enabled deletion and 95% of the time it doesn’t work for me anyway. As I have easy NFS access to my media I just rm from the command line when I need to delete something so I haven’t continued to pursue why deletion often doesn’t work for me.
My point is it seems extremely unlikely that any Super Hacker would be able to do much damage if they at all gave a crap about my little server.
Why take the risk? Why take the risk of changing things when you’re server is working already? I ask because I took that risk and did that and now my server is down (well it’s up locally and for some of my apps but for my neophyte users, they don’t have access). And I’ve spent about 3 hours last night working with @ChuckPa trying to get it back running with no success. As the old saying goes “time is money” I’m wasting time and money on a silly breach that most likely would have never gotten hacked anyway. That’s why I didn’t want to take the risk.
The current state is that I can access my Plex server but only via https://IP:32400, the local URL. If I go to https://app.plex.tv it doesn’t work. I managed to get it working on my Android phone as well as getting Plexamp working. Also able to get it working on my Vizio TV and PS4 and Plex HTPC. I was able to access Plex through my Android phone both on my WiFi at home and via 5G when I was remote. But my users report that they can’t get to my server and as I’ve said before, they are neophyte users so telling them to reinstall Plex on their TVs or Rokus or to log out and do that linking thing again will only confuse them.
I get that it is not as critical as the tokens for the server owner itself, however I still am not thrilled with the idea of a hole into my network that I need to rely on shared users to plug. I have linked the reset post to most but have no way to tell if they are actually heading the advice.
In my opinion if PW and Tokens were indeed compromised then the only logical answer is to force reset all. Do it in waves if you must but relying on end-users to A.) be aware of this, B.) understand it, C.) do anything to rectify it is just asking for millions of exposed tokens to run in the wild for years to come.
Since the breach I am monitoring IP Geography of shared users connecting to my server and have seen nothing nefarious to date on my side.
In some countries having copyrighted videos available to people to watch them without having the proper rights is not allowed and it can be punishable. For example, in Germany a lawyer will basically blackmail you and you will have to settle for around 1000 EUR or you have to go to court.
Of course we all do no have such copyrighted videos in our libraries.
No he won’t, because in order to gain knowledge of your server’s contents he’d have to commit a punishable offense first.
1 Like
He won’t need to say he gain the knowledge by breaking into your server, they will subpoena the info from the ISP which unfortunately in Germany they can do. Then it will be up to you if you want to go to court or not, but then in court they will prove you did it by again taking the data from the ISP as proof.
But I guess you are now an expert in German law.
No, they won’t. The ISP doesn’t know either what you have on your Plex server.
1 Like
No, but they know what traffic went from your pipe.
This is why in Germany nobody should use torrents without a VPN connection. Otherwise you will receive the blackmailing letter. Most of the blackmail comes from one single lawyer company that wrote sophisticated software to connect to torrent swarms, log ip addresses from people and wait until they upload anything. Then they get your info from the ISP, you receive the letter and if you do not pay the blackmail you go to court. Most people in court lose their cases because they indeed did it and the ISP provides the needed data to prove it.
The software developers who wrote and maintain their hunting software have a special place in hell.
No, they don’t.
Neither do they store every packet that went through your connection (only secret agencies do that), nor won’t they know much more than that you may have communicated with both plex.tv and a few other machines on the internet. But they won’t know the contents of this communication.
That’s what secure connections were invented for.
That’s why plex is using “certificate pinning” to pin the certificate to your particular server machine.
https://support.plex.tv/articles/206225077-how-to-use-secure-server-connections/
Use them. Force them on, if you’re that concerned about your ISP spying on you.
1 Like
