Yeah but they already mentioned that they expect the attacker to hijack your ssh command so you'll touch it yourself, thinking you're authorizing something else than you actually are.
It does mean that they can't use the key a thousand times. But once? Yeah sure.
> hijack your ssh command so you'll touch it yourself, thinking you're authorizing something else than you actually are.
That doesn’t do anything at all.
1. If the attacker is redirecting you to a different host then ssh will simply refuse to connect due to known_hosts (I guess they could have added to that file too, redirect you to a honeypot and then hopefully you’ll run “sudo” before realizing but then at that point just hijack “sudo” itself in the local machine)
2. If the attacker is trying to let you connect and eavesdrop your connection to still credentials then that also still doesn’t work as the handshake for ssh is not vulnerable to replay attacks
The attacker could trick you into signing something I guess but then that still doesn’t do anything because secrets are not divulged at any point
I guess if the yubikey is also used for `sudo` then your attack makes more sense, as the attacker could prompt you to authenticate a sudo request when you call the evil `ssh`
Okay let me elaborate how I envision that attack to work:
1. attacker wants to use your yubikey-backed ssh key, let's say for running ssh-copy-id once with their own key so they can gain access to your server
2. thus they need to trick you into touching the key when they run that command
3. the best way to trick you is to wait until you do something where you'd normally need to touch that key yourself
4. so they alias ssh to a script that detects when you're trying to connect to this server yourself, and invoke ssh-copy-id instead, which prompts you to touch the yubikey and you do
5. spit out a reasonable looking error (something that makes you think "bloody DNS, it's always DNS, innit" or something silly like that); then they undo the alias so you succeed on the next try and suspect nothing
Indeed, that was my point exactly a couple posts up the thread. :-)
> you may realise that something wrong happened
I think I can iterate on the exact mechanics to make this less likely. I mean it's getting off-topic but the one thing that comes to mind is to enable ControlMaster for all ssh connections which allows any second ssh invocation to skip the auth and just re-use the existing connection. ssh-copy-id is near instant then and doesn't ask anything.
At that point you might—rightly so—argue that they're no longer tricking the user into authorising a different operation. Just a reminder that if someone can run code as your local user, they can easily and sneakily gain access elsewhere. Even if you need a yubikey touch to connect there.
The original attack idea of timing the yubikey touch for when you normally expect to touch it might still be relevant for a scenario like ssh-agent forwarding to a malicious box. They can't run code as your local user, but can still perhaps trigger the agent to interact with the yubikey. Maybe.
I was curious about this point when discussion came up on HN just recently. I don't see how you could "assign" each non-QR address a new quantum resistant address unless they "claim" it themselves somehow. What can possibly happen to an uneducated mom-and-pop bitcoin holder who never takes up their claim? Someone else who cracks their private key would be in an identical position to them w.r.t authenticating themselves and doing such a claim first - thus it becomes a race
That's not really what GP was saying, but since you brought it up I think it would actually be insane NOT to - otherwise Bitcoin has an extremely unstable period as 100s of billions of $ worth of locked up BTC becomes instantly fluid the moment the non-QR wallets are crackable.
I.e. it makes sense to have a long term planned migration of what's active rather than any type of instantaneous rush/change.
I don't work at Apple, so I can't comment on that. But that doesn't always help. There's been plenty of times where I have a full HAR file from the user and I can clearly see that something went wrong, but that doesn't always mean I can reproduce the issue. (I recognize a HAR file doesn't represent the complete state of the world, but it's often one of the best things a backend developer can get)
It always helps. Even if you can't determine the root cause you can at least add an extra assertion check or logging statement at that point so that next time the bug gets triggered you'll at least get more useful diagnostic data and can get a step close. Iterate until you find the root cause.
That’s easy enough. The hard part is doing so without capturing a bunch of email, messages, and other private data that happens to be in memory at the time.
Ignorant question, if privacy didn’t matter and they had an atomically identical machine, would there still be plenty of edge cases where it was the printer or the Wi-Fi causing the issue?
In any case I would have said it sounds difficult on every front
I should be more precise. Capturing the system state isn’t too hard. Turning that into a reproducer may be quite hard, because of things like you say. There are certainly a lot of bugs that such a capture would make easier to figure out, but it wouldn’t be a panacea.
The longer this war continues, the more it hurts the US. There is no strategic win to be had for us. The only party that benefits from this action is Israel and we've given them enough blood/money in the past few decades.
I don't think it even benefits Israel. At least not the people of Israel. Maybe it helps keep Netanyahu in power. But they're just creating more extremism and hatred of Israel in Iran and utterly failing at even creating regime change.
People have already forgotten about Gaza/W bank and there is a ground invasion of Lebanon happening that no one is talking about. They are absolutely winning if their goal is regional dominance.
This war is very broadly supported by Israelis. Something like 90%+ want to keep it going. I agree that it's not good for them. Their reputation is already the worst in the world and destroying the global economy and committing additional, non-stop acts of terror is sure to keep that trend going. I don't think they can be considered rational actors anymore though, more of a rouge state theocracy that's 100% out of control.
Eh, I was happy to pay Plex a one time fee of ~$120 for a lifetime license. I'd rather just set up Plex in a docker container and expose that port than deal with a bunch of services constantly needing doctoring in my homelab.
I've run both and Jellyfin is actually easier to run IMO, since it is in package managers. Also has free android/iphone app. What do you think you have to do in Jellyfin you don't in Plex?
I send them an email that contains a link to jellyfin.mydomain.tld with their new username and password, plus a few tips for how to get the most out of it (I wrote a template a few years ago).
It's not any more work for me than giving a user library access on Plex, but it does require I have a reverse proxy and a domain.
Sure. I think this was originally written by GPT-3.5 but I've tweaked it a lot since then. I try to keep it short enough that people will actually read it all the way through while still answering some of the more common questions.
Subject: Welcome to <my real name>'s Jellyfin Media Server
Hi there,
Welcome aboard! You now have access to my media server and can enjoy my library of Movies and TV Shows.
Here are your login details:
Link: https://{JELLYFIN_DOMAIN} (bookmark this!)
Username: {USERNAME}
Temporary Password: {PASSWORD}
Please update your password as soon as you log in for your security:
Log in with the information above. Click your profile icon (top-right corner, looks like a person). Choose "Profile" (same icon again). Enter the current password and your new chosen password, then click Save.
Tips:
Jellyfin works like any other streaming platform, you can browse, watch, and favorite. It always keeps your place and remembers what you were watching so it's easy to come back to.
Jellyfin can be used in a web browser, or you can find apps for phones, tablets, and some TVs.
Browse the full list of movies or shows available by clicking the boxes under "My Media" on the home page.
You can request new media by visiting {REQUEST_DOMAIN} and logging in with your same Jellyfin username and password. Please only request things you are sure you will watch in the next month or two.
Jellyfin and Ombi are software packages that I run on my own computer, but I did not build them.
Please reply to this email if you have any issues.
Enjoy!
I tried to use search the other night, for a movie I know I have. It listed 30-some entries, all for their "Plex content" bullshit. I can't find a setting that turns that off. I have no interest in them trying to become a half-assed Netflix.
I too have the lifetime pass. A group of us collectively manages >1PB of content via Plex. But we need an offramp to derisk enshittification, and Jellyfin is that readiness capability. If you have no option to switch to when the time comes, you are SOL. Even if I did not use Jellyfin today (I do for a music catalog, but it is not primary), I am willing to provide them recurring donations to make sure they are ready when I need them.
(ymmv, I work in risk management, a component of which is vendor risk management, so the professional mental model gets applied to home systems when applicable; rug pull? not on my watch, and the rug pull will happen eventually)
With a fiber connection, 5-20 terabytes/month is nothing. I could probably ramp it up, but I'm only looking for 1080p content. The only thing that keeps me sub-petabyte is that my budget doesn't allow for a NAS with enough bays (and 20tb disks going up to $500ish here lately surely hasn't helped).
Really, just start downloading every new release and you wouldn't even have to dip into the back catalog much.
I understand your reluctance, I was not very optimistic when I started installing Jellyfin.
Turns out it is pretty straightforward and I never had to deal with the hassle of maintenance. The two non-mandatory configuration steps I had to make were:
- the file permission to share Jellyfin's library with my torrent daemon.
But IIRC this is the same with Plex.
- the nginx reverse-proxy with WebSocket for the "watch together like" feature to work
I was happy to buy a lifetime pass many years ago, but as they've removed many of the features I cared about (offline auth, plugins, photo backup, watch together, etc.) I have come to realize that I directly funded enshittification. I wish I could've bought a lifetime pass to the version of the software at that time instead of a lifetime of downgrades.
Jellyfin is also a single docker container, by the way. That would've been an easy thing to verify before making this comment.
it's not a single container if I want to be able to have friends/family access it. That would have been an easy thing to think about before making this comment.
You have to set up port forwarding either way. If you haven't yet, go do that now (ask chatgpt to help), it will dramatically improve your Plex remote streaming. Check settings -> remote access and it'll show green.
HBM has latency similar to DDR. The real benefit is via the interposer (or now die to die connections) you can get 16x 64 bit buses in a single HBM stack.
reply