Morgikan

joined 3 years ago
[–] Morgikan@fedia.io 17 points 20 hours ago (3 children)

Not for Youtube at least. They actively try to degrade performance for Ublock Origin users by refreshing elements that force ublock into a death loop that ends with exceedingly high CPU/RAM usage that potentially crashes your browser. At that point, I would say it goes beyond annoyance and into malicious activity.

[–] Morgikan@fedia.io 2 points 1 day ago

I would say it reached a better service position in the early 2000s with the rise of broadband (1.5Mbps to 3.0Mbps) internet speeds.

Prior to that, you still had IRC and BBS, but there was a divide between filesize and your ability to download that filesize within reason. There also existed a divide between what was accessible to technical users vs everyone else. Non-technical users might copy 3.5 floppies or cassettes but weren't present in the internet space. Broadband opened the door for services like Napster, Kazaa, and Limewire which granted everyone access.

That service model was so successful to the point that it completely altered the music industry and how people bought music (ex. iTunes).

[–] Morgikan@fedia.io 3 points 1 day ago (2 children)

It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount /:/root and then access the host filesystem.

It's just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.

[–] Morgikan@fedia.io 12 points 1 day ago (4 children)

My biggest concern is pivoting. Specific to Jellyfin, many users are using docker, but do not isolate the user so the daemon is operating as root. With that setup, an attacker could mount the host filesystem to the container and would own the host from that container.

Again, for the linux mention, the answer is pivoting. Many machines use Tailscale. If one of those machines were to be compromised using Tailscale's default ACL, they would be able to move laterally through the network without issue. At that point, it would be possible to modify existing nodes (ex. subnet routers, exit nodes, etc) or even add additional rogue nodes.

The question of why people care is tricky. Why should you care if your networked printer is using out of date firmware? It likely isn't storing personal information, right? It's a prime target because it's easy, poorly monitored, and opens another door. A lot of infosec is just keeping doors shut so other doors don't get opened.

[–] Morgikan@fedia.io 2 points 2 days ago

If the goal is doing this in a simple fashion, then use Tailscale funnels (https://tailscale.com/docs/features/tailscale-funnel). Funnels automate the process and act as a reverse proxy into specific servers within your tailnet.

The downside is there is no authentication to funnels, so whatever you're running (Jellyfin in this case so that's not an issue) needs it's own authentication setup. You might consider running fail2ban on that machine and have it watch for login attempts, but otherwise that is the simplest setup I think you could do.

[–] Morgikan@fedia.io 6 points 5 days ago (1 children)

I had pfSense running on an old Core 2 Duo machine from around 2010 when I worked in MSP. You can run it on just about anything.

The only trouble I had was when I switched to gigabit+ service and had snort running. Snort is single-threaded and that CPU just could not keep up. Suricata would be a better choice given it's natively multi-threaded, but the real limitation there was my setup and not pfSense.

[–] Morgikan@fedia.io 3 points 6 days ago (3 children)

Bob Saget would roll in his grave if he heard about your addiction.

[–] Morgikan@fedia.io 18 points 6 days ago

Having the game on the horizon is actually a very good position for the employees for two reasons:

  1. Pre-orders. Rockstar already secured $3 billion, so they don't have the argument that compensation is unfair (why they were wanting to unionize to begin with along with work hours).

  2. (The big one) Pre-Launch Strike. There still is a LOT of damage that could be done to GTA6 especially given the pre-orders. If they strike before November, GTA6 would go without day 1 patches. Whatever state it is in prior to strike is how it will stay during the highest review and revenue period for the game. It would mess with marketing and potentially even push off release by months which would hit their stock price hard.