r00ty

Yep I’m hearing a lot about this and there’s a few Lora nodes on it in my area. So am considering looking into it.

If you set the ip of the router to fe80::1 then anything directly connected should be fine to connect using that address.

The thing is. Any year can be the year of IPv6. Google is on ipv6, youtube is on ipv6, facebook is on ipv6. Pretty much every datacentre I’ve used (OK limited to Europe) give you IPv6 for free by default. Deploying a web site to be IPv4 and IPv6 is trivial and people that use automation should be able to quite easily apply ipv6 to those scripts.

It’s really just the ISPs (more so in the US as I understand it), lazy IT people and the FUD myths holding us back at this point.

IPv6. No. Badly configured IPv6 routers, yes. But that’s something that would fix itself if it became the only protocol in use. And most routers now are pretty good at it from what I’ve seen. But it used to be the case it was easy to find bad routers.

The myth seems to be that NAT provides security. But a good default configuration for consumer routers would give the same security as NAT while providing the advantages and extra security IPv6 provides.

IPv6 usually has privacy extensions enabled. Which means it will generate throwaway IP addresses that rotate regularly for your outgoing connections, these IPs do not accept incoming connections. So someone cannot nmap you to find open ports based on the IP you connected to their server with.

Not to mention that most ISPs give each user more IPs than the whole IPv4 internet has. So, port scanning an entire /64 is not going to be fun.

Well you could accept the default generated one, or set it to fe80::1 manually. Don’t most good routers now have a DNS server in? So you could make it router.local or something?

I think some even by default make a DNS entry call router.local or similar pointing to themselves. This isn’t a real problem and if IPv6 were adopted fully, then all routers would likely come with something like this setup anyway.

I was tempted to get an AMD 9070XT and maybe pass the 3080 to windows (since AMD is generally regarded better in Linux). Somehow (at least here in the UK) the prices haven’t gone up for that card yet.

But then I bought a load of radio stuff instead. :P

I sometimes run windows as a VM. But generally just for specific software. Radio programming, some have only windows tools that won’t play ball with wine. They need the USB port passed through.

There’s also just some tools only viable in windows. But I generally have always gone for one step up from the current normal RAM amount because 1: Software development likes to eat ram and 2: I really don’t like to upgrade too often.

However, my understanding is that this could be exploited only by authenticated users with permission to add new media. Not like that’s a risk to ignore, but it’s not like it could be exploited by anyone on the Internet.

I wonder if that’s the reason for setting the default live TV management permission to false. Since that permission might well the the route to adding your own malicious m3u link for that second change.

Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.

But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.

This is kinda my thoughts too. I have a generally “OK” setup now. 7800X3D, 64GB DDR5-6400 (I think it is 6400 anyway), and a 3080. Should be fine for now. At least to wait and see if we’re:

• Totally cooked and will eventually be forced to compute on the cloud
• Things return to some level of normality as the AI hype bubble bursts and people start using it as a genuine tool and not the panacea for all of our problems that needs the insane level of investment it’s been given lately.

Hell, if the bubble bursts hard enough there might be some cut price action, just like all those juicy cheap enterprise HDDs we could get during the covid times. Maybe wishful thinking though.

Just remember who screwed you over if/when they come back to consumers, cap-in-hand.

From a cursory look at just the security commits. Looks like the following:

• GHSA-j2hf-x4q5-47j3: Checks if a media shortcut is empty, and checks if it is remote and stores the remote protocol if so. Also prevent strm files (these are meant to contain links to a stream) from referencing local files. Indeed this might have been used to reference files jellyfin couldn’t usually see?
• GHSA-8fw7-f233-ffr8: Seems to be similar, except for M3U file link validation and limiting allowed protocols. It also changes the default permissions for live TV management to false.
• GHSA-v2jv-54xj-h76w: When creating a structure there should be a limit of 200 characters for a string which was not enforced.
• GHSA-jh22-fw8w-2v9x: Not really completely sure here. They change regex to regexstr in a lot of places and it looks like some extra validation around choosing transcoding settings.

I’m not really sure how serious any of these are, or how they could be exploited however. Well aside from the local file in stream files one.

So good, you had to tell use twice?

Yeah but… Is America great again yet?

My body is a machine that is way out of warranty.

Ah OK. I’m on my own instance. So I don’t have any of those communities here. So in my case I won’t.

Yeah. But then to see it, you would have actually made the conscious choice to go to lemmynsfw, no?

Yeah I have 64GB DDR5 6400, and I am kicking myself that I didn’t get more. Yeah 64GB is enough. But might be a while before I can get more.

No, they’re saying Firefox uses so much ram they’re far far more likely to be a victim!

People are still having sex, and nothing seems to stop them!

Oh yeah, I saw that black mirror episode. Good thing it’s only fiction.