https://news.ycombinator.com/item?id=45174684
(Or at least related, this submission has the plex.tv website breach notification, not just the text of the email.)
I've been very happy with Jellyfin FWIW :)
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
[1]: https://developer.hashicorp.com/vault
[2]: https://openbao.org/
[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...
cranberryturkey•2h ago
colordrops•2h ago
hnlmorg•2h ago
I’m getting increasingly frustrated at just how badly Plex behaves for home set ups. Which is the entire point of installing something like Plex.
Most annoying still, I’ve even paid for their premium products in the hope that it would make things behave better and it did not.
The only reason these security incidents happen is because Plex try to extort home users. There isn’t any other compelling reason to have your details on their database with credentials to active installs.
Sheeny96•12m ago
bigiain•2h ago
I use Emby, only because a few friends did and recommended it. I'd probably switch ti something more secure and/or open source given the right push.
crooked-v•2h ago
ksynwa•1h ago