8 pages of this thread and no response from a Plex team member or a Ninja. That should tell us something. Over 300 votes on it, and I'm betting we see a new Cloud Service first. (Or a new client that will need to be "fixed")
Make that 9 pages... :/
jkiel, don't do that. Stay engaged and not from the sideline. It's not that we can do anything but a little "healthy" debate can help others to see the real problem that exists and get a feel for why some type of things may or may not be a good idea. It's ok for us to disagree on things or the proper approach. Ultimately it's not up to you, me or anyone in this thread unless they work for Plex. But, from this thread and others similar to it, the general users get a bigger picture of the problem which I think is important since Plex themselves have not disclosed the issue (only the users have) which IMHO is wrong.
For your first answer I both agree and disagree. What I'm trying to say and it's not coming across clearly enough is that I've got the feeling Plex has a solution for many clients but not all of them and I think they are holding off until they can do everything at once across the board. Maybe I'm completely wrong on this, but it's my gut feeling. This is what I'm saying I disagree with. What I'm tryinig to say is to release this stuff now for the clients that you can, especially if it's for those clients used in public places.
So it's a stop-gap to the full solution but could be the "actual solution' for that client. Until it's done across the board it's not complete but by enabling the encryption for at least some clients (preferably ones used on public networks) it's helping to close the attack vectors one by one. I'm also saying if said client can't fully be encrypted (all client/server communication as well as media) then just do the conversation parts for now with a solution for the media to follow. So in this case it's a partial solution or "stop gap" but could at least encrypt the general chatter that is easy to pick off and get tokens from.
That's really the heart of what I'm saying. <-- roll out what you have now even if it's not complete across the board
My "jibber-jabber" comments (probably not called for) was to the hijacking of websites and hijacking of certs and things of that nature like social engineering. Sure this stuff can be done and is done daily but shouldn't really be something Plex should overly concern itself with or cloud the conversation at hand specifically about the token exploits. If they can take measures to reduce this type of thing great but it's really not their responsibility. The type of person who clicks links in email to "reset" their password when they did not request a password change or gives their passwords to "support" via email, etc is always going to fall prey to this type of "scam". But that also why I suggested only allowing certain admin functions to take place from certain whitelisted IPs. So even with the proper credentials you couldn't do certain things remotely like adding new users or shares. <-- again stops part of the reason we get attacked.
If they properly design the client/server pieces they will know if the "domain" or "server" has been re-directed or not or if there is a MITM. There are easy solutions for his now and we do this where I work.
So anyway, don't move to the sidelines and stay in the conversation.
In all honesty, that is the frustrating part here. You and frmstat have provided a partial solution a couple of months ago. It had its issues, but as I understood even mobile client support was added for specific clients. What is stopping them to take some tough decisions and implement it?Anyway, I've invested far more effort in this endeavor, in both hours spent researching the problem, trying to work-around the problem, and trying to communicate the problem to both Plex users and Plex, than I ever thought I would.
Jaap
That's how plex works, love it or hate it. They had hundreds of parts about protecting adult rates comment from children's eyes, and said nothing until plex home came to life (only for plex home theatre, roku and Web as far as I know; talk about limited availability!), so don't expect anything until an official announcement.8 pages of this thread and no response from a Plex team member or a Ninja. That should tell us something. Over 300 votes on it, and I'm betting we see a new Cloud Service first. (Or a new client that will need to be "fixed")
Make that 9 pages... :/
It has been mentioned before, maybe not in this thread, but security is an important issue for plex. They are looking at options but, as usual, will not official say anything until something is in place.8 pages of this thread and no response from a Plex team member or a Ninja. That should tell us something. Over 300 votes on it, and I'm betting we see a new Cloud Service first. (Or a new client that will need to be "fixed")
Make that 9 pages... :/
I have nothing to add to the discussion myself as security is not in my area of knowledge. If you just want a did someone see this, yes we are aware of this thread.
As my Grandpappy used to say: "Actions and words... One gets the cow milked."
2+ years we have been waiting on a fix for this. Most of the serious discovery and leg work appears to have been done by subscribers to identify and offer solutions for repairing it. Work had been done by a lot of folks on this, including a vast number in this thread and the previous one, https://forums.plex.tv/topic/101886-proof-of-concept-token-exploit-please-fix-this-massive-security-hole
Elan's last post in that thread is from November: https://forums.plex.tv/topic/101886-proof-of-concept-token-exploit-please-fix-this-massive-security-hole/page-9#entry772853
The little Scotty graphic is almost insulting considering the potential issues this could raise for someone running Plex. (Ok, it IS kinda cute, but very inappropriate given the potential severity of the problem.)
You popping in here, MovieFan, and saying that they are aware of it and working the issue isn't any help. We KNOW they are aware of it. We KNOW they have to be working on something. When you look at the huge numbers of clients brought out since then, the numbers of updates to PMS and the work that has gone on since Elan's last post what are the subscribers to think? Every one of these clients will require some sort of mods to the code to implement whatever fix gets worked in...
We aren't asking for turning the impulse engines into warp engines, we are asking for SECURITY! Denise Crosby might have been a better graphic to post, then... (Or Michael Dorn.)
Issues like this, where there are HUGE security issues should be the exception to the Plex Team's Time Line rules. If you want us feeling security is as important to you as it is to us, you would be telling us when to expect a fix, or what work is taking place to help resolve things. Providing workarounds or tools to reduce exposure. Not backing off of it, ignoring a whole thread for 3 1/2 months and it's companion thread since it's inception.
Here is the question I want you to ask yourself, MovieFan and elan... If you had issues with a program regarding security, how would you react? Would you sit back and wait for someone to steal your stuff or damage your equipment? Or would you scream for a fix? Don't reply though... I want the cow milked...
I wasn't aware of how serious this issue was until now, it's rendered one of my plexpass subscriptions totally useless so i'm going to have to cancel it.
They have refused to answer my posts regarding basic security directing me back to posts without staff replies or staff action.
Plex has prior knowledge of these flaws and continues to sell services tied to the software while these are exploitable. That is very concerning.
You popping in here, MovieFan, and saying that they are aware of it and working the issue isn't any help. We KNOW they are aware of it. We KNOW they have to be working on something. When you look at the huge numbers of clients brought out since then, the numbers of updates to PMS and the work that has gone on since Elan's last post what are the subscribers to think? Every one of these clients will require some sort of mods to the code to implement whatever fix gets worked in...
I understand the frustration, I was just responding to your post that there had not been any comments from Plex staff or any ninjas.
Even ignoring the new clients that have come out recently, if we just look at the original base of clients (PHT, Web, Roku, and iOS and Android mobile apps) and all the variations in servers (Windows, Apple, Linux, NAS), whatever solution is needed is not a simple task to figure out, but I trust that Plex will figure it out.
I am not going to ignore them: while the security problem isn't solved, you guys are increasing the problem and enlarging the codebase to be fixed, digging a deeper hole for yourself.Even ignoring the new clients that have come out recently
While this solution come before or after a widespread attack on Plex has taken place? At this (lack of) speed we will get the solution by the turn of the century. It will probably be the coolest thing we have seen, but most of us will have died from old age or was hacked in the meantime. Plex is behaving like the ER nurse that tells the guy with a bleeding artery "wait in line, your time will come".if we just look at the original base of clients (PHT, Web, Roku, and iOS and Android mobile apps) and all the variations in servers (Windows, Apple, Linux, NAS), whatever solution is needed is not a simple task to figure out, but I trust that Plex will figure it out.
There are times that require you guys to drop everything and focus on one single issue. Please realize that having significant security issues and not solving them for 2,5 years without informing your customer base is considered criminal neglicance in most countries and makes you fully liable for any damages caused. A hacker destroying someones collection of family pictures or video's (irreplaceable content) could easily go into the thousands of dollars per case when it goes to court.
Jaap
There are times that require you guys to drop everything and focus on one single issue. Please realize that having significant security issues and not solving them for 2,5 years without informing your customer base is considered criminal neglicance in most countries and makes you fully liable for any damages caused. A hacker destroying someones collection of family pictures or video's (irreplaceable content) could easily go into the thousands of dollars per case when it goes to court.
There are laws on the books in several states in the US that require a company to inform customers of computer intrusions that compromise their personal data. I do know CardSystems Solutions, Inc. was charged with this among other things in 2005.
"The complaint also charged the financial services firm with violating a California state statute requiring it to inform customers of computer intrusions that compromise their personal data."
We already know that our personal data can and has been compromised because people are selling access to our systems on the Internet.
Now, seeking any type of damages would be much harder than a fine of course as you would have to prove your damages. I only know of a few situations where this has happened against a software company and I believe they were mostly automotive related where the software resided in electronic components that failed safety measures and caused death and/or injury.
But as Jaap pointed out in many jurisdictions Plex is breaking the law by not notifying it's customers of the breaches and security issues currently in the software.
It will probably be the coolest thing we have seen, but most of us will have died from old age or was hacked in the meantime. Plex is behaving like the ER nurse that tells the guy with a bleeding artery "wait in line, your time will come".
That's really funny, but sad because true. I always hated that ER nurse.
That's pretty funny!
mediabrowser3 has done this pretty easily, I've just started using it. It's not quite as shiny as Plex but it works!
I rarely post here, but I'm very seriously considering ditching Plex altogether (and canceling my PlexPass subscription) unless this gets fixed. I've been using Plex for over four years, and will be sad to see it go.
I'm currently having to run my server through a VPN which completely bogs down my traffic, rendering any remote streaming more or less useless. In my opinion this is a very obvious core feature that should have been included in the spec of version 0.1 of any remote client/server product, let alone one containing likely sensitive/copyright information. The fact that it's taken this long without a clearly defined timeline is has reached unprofessional levels.
The core userbase of Plex likely has very good reasons to want encrypted connections between remote clients and their servers, so aside from technical ineptitude or god forbid law enforcement or media companies applying back door pressure, I can't possibly see why this isn't priority 0 for the development team.
In case I have to spell out the obvious to the Admins, the entire company will drown in bad press if some of its users fall victim to copyright notices due to security negligence on Plex's behalf. All it would take is a headline on Engadget/Gizmodo/Reddit of "Plex users all vulnerable to security breach, no fix in sight," with someone's account of being served or raided, which by the sounds of how bad this is could very likely be posted any day now.
In case I have to spell out the obvious to the Admins, the entire company will drown in bad press if some of its users fall victim to copyright notices due to security negligence on Plex's behalf.
Lively thread, important issues. Copyright issues, however, fall into the users laps. You shouldn't be breaking copyright laws no matter which HTPC software you use.
This is stated in Plex's Acceptable Use Policy:
Acceptable Use
- You may not, or allow anyone else to, use any of the Services to do the following:
- Infringe the intellectual property rights, proprietary rights, or rights of publicity or privacy of any third party;
Lively thread, important issues. Copyright issues, however, fall into the users laps. You shouldn't be breaking copyright laws no matter which HTPC software you use.
This is stated in Plex's Acceptable Use Policy:
Entertaining to think about how a Plex Ninja would respond to something like copyright issues within the Plex application but won't answer the fix/solution of security improvements. Flat out sounds like there is a big issue with the core system of Plex not allowing security enhancements to be easily done. Or able to be completed at all? Due to the lack of communication from Plex employees it almost feels like there is no solution visible in sight. There are lots of additional features added monthly, which seems like the developers/Plex are side stepping around security issues/concerns to try and hide it.
Entertaining to think about how a Plex Ninja would respond to something like copyright issues within the Plex application but won't answer the fix/solution of security improvements.
Because I don't know the answers. I'm not a Developer.
Again.... cayars pointed this out above, and I've pointed it out before...
They are selling access to our accounts on the dark web!.... This needs a little more than a "we are looking into it".
Strange how most of Plex's problems stem back to how you communicate with us, but hey I'm not telling you how to run this, or how to implement at fix. Just adding my voice to the others who have shared more eloquently than I.
Why doesn't someone from the Ninja team who does know about these issues come talk to us?
Lively thread, important issues. Copyright issues, however, fall into the users laps. You shouldn't be breaking copyright laws no matter which HTPC software you use.
This is stated in Plex's Acceptable Use Policy:
Because I don't know the answers. I'm not a Developer.
You know, I swore to myself I was done beating people up over this. Really, I been a good boy lately, and refraining from the negativity.
These two posts just did that resolve in...
With the comments all through this particular and the other thread about the same issues, you decided you needed to come here and quote Plex's copyright information, then deny any knowledge about what's going on with regards to fixing the issues. Neither of your responses help to salve the concerns people are having over the lack of OFFICIAL and TIMELY response to these exploits. In fact, they are downright insulting. We are trying to prevent people from using our Plex Media Servers to violate that same copyright clause you quoted in your first post.
Under Plex's own EULA, they have been perpetuating the illegal activity by not plugging the holes that allow unauthorized users to use systems that may fully comply BUT have gotten hacked. Plex hasn't been forthcoming on either the exploit itself or on the work moving toward resolution. End users were the first to report these exploits on these boards. End users also provided ideas for potential fixes. Under some jurisdictions that could be considered culpable and potentially opens Plex itself up for liability should damages occur.
If you have specific knowledge of the time line for this fix, 5stringdeath, please, share with us. Otherwise all you have done is add more fuel to an already out of control fire.
I will again attempt to refrain from this and it's companion thread. Should more stupidity arise, I'm sure that will change.
