I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Scary le Poo@beehaw.org · 3 days ago

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Waryle@jlai.lu · edit-2 1 day ago

https://www.legifrance.gouv.fr/juri/id/JURITEXT000030635061/

Case law from the Cour de Cassation, where the defendant was convicted, by Articles 323-1 and 323-5, of having extracted data freely following a proven failure of the protection system.

The complainant just had to show that the data SHOULD have been inaccessible, by expressing this “with a special warning” :

"3°) alors qu’en l’absence de dispositif de protection des données, la maître du système doit manifester clairement et expressément manifester, par une mise en garde spéciale, sa volonté d’interdire ou de restreindre l’accès aux données ; qu’en déduisant de la seule présence d’un contrôle d’accès sur la page d’accueil du site de l’ANSES que M. X… s’était irrégulièrement maintenu dans le système contre le gré de son propriétaire, la cour d’appel a violé l’article 323-1 du code pénal ;

Translated :

“3°) whereas in the absence of a data protection system, the master of the system must clearly and expressly manifest, by means of a special warning, his intention to prohibit or restrict access to the data; that in deducing from the mere presence of an access control on the home page of the ANSES site that Mr. X… had irregularly maintained himself in the system against the owner’s will, the Court of Appeal violated article 323-1 of the French Penal Code ;

In my case, the first thing you see when you arrive at my Jellyfin instance is a login form blocking your entry, and you have to go through a backdoor to access my data, so there’s no ambiguity on this point.

You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

Saik0@lemmy.saik0.com · 1 day ago

You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.

I just happen to live in the USA. So congrats, you’re wrong again. Try not to resort to personal attacks next time. You’ll look much less silly.

YOUR intention doesn’t matter. You don’t maintain the jellyfin code. The actual code designers specifically left the endpoints open for “compatibility”. There was a conscious decision for those endpoints to not require authorization, and worse, IT’S DOCUMENTED. This is not like the case you’re quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc… This premise is asinine.

You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don’t see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.

Waryle@jlai.lu · 1 day ago

Oh you insufferable rawgabbit. Even in the face of definitive proof, the only thing you care about is throwing a 4 paragraphs tantrum trying to twist every single word just to not say “OK, maybe I was wrong on that thing”. I’m out.

Saik0@lemmy.saik0.com · 1 day ago

I’m insufferable? You’re the one relying on personal attacks to make your point. Then run away with tail between legs when I show you 1) how it’s not the same as your case and 2) how other current internet operations WOULD be the same, and there’s no lawsuits in regards to those things.

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin