What's the security situation when opening a jellyfin server up for casting?
when reading through the jellyfin with chromecast guide i realized that it would probably be less effort to just let the casting api be public, with the added bonus that i could then cast my library to any device that supports it. but that seems like it would paint a giant target on the server.
what's the recommended way of doing stuff like this? ideally i want to be able to go to someone's house and just play some of my media on their tv.
not that any of this is doable in the near future, since i'm behind cgnat and won't get my colocated bounce server up until spring.
Jellyfin with Chromecast
Jellyfin with Chromecast. GitHub Gist: instantly share code, notes, and snippets.Gist
like this
Chinese company Tencent enlisting U.S. cloud hosting provider Vultr to enforce censorship well beyond the borders of China
cross-posted from: lemmy.sdf.org/post/46930338
Archived
- Tencent, China’s largest publicly traded company, operates WeChat, a chat and social media platform with 1.3 billion users in China. As all Chinese services and companies in the country's domestic markets, Tencent's WeChat is subject to Beijing's censorship.
- To Combat this censorship, the NGO "GreatFire" has been running a project called FeeWeChat. GreatFire constantly monitors WeChat for posts that contain certain “sensitive” keywords and archives them. If the archived posts later are removed on the WeChat site by Chinese censors, they mark them accordingly as 'censored.'
- FreeWeChat has documented over 45 million posts since 2015, with more than 700,000 later censored, providing insights how China's censorship machine works.
- GreatFire has been using U.S.-based cloud hosting company Vultr for its work. Now Tencent, through its intermediary Group IB, accused FreeWeChat of trademark infringement and of promoting banned content, despite the project’s role in exposing censorship practices.
- After months of silence and failed negotiations, Vultr formally terminated FreeWeChat’s hosting in November 2025, ignoring arguments from the GreatFire NGO and letters of support from human rights groups.
[...]
GreatFire.org - We use AI to Monitor Censorship and Expand Free Speech
Fighting censorship with technology since 2011. We use AI to monitor censorship and expand free speech worldwide.GreatFire.org
like this
on November 28, 2025, with many of our questions still left unanswered, Vultr closed GreatFire's account at Tencent’s request. In doing so, Vultr acted as Tencent’s vehicle to extend Chinese censorship well beyond the borders of China.
Totally agree. However, freewechat is up - guessing they changed providers pretty quick, maybe already saw this coming. Let this be the Streisand effect they (and China) deserve.
China funnelled $80 billion into overseas cleantech in past year, report says
Research from the Net Zero Industrial Policy Lab at Johns Hopkins University found that 75% of China's low-carbon foreign direct investment is in Asia, the Middle East, Africa, and Latin America.Southeast Asia remained the top destination for Chinese cleantech manufacturing investments, the CEF report found
The Middle East and North Africa were the fastest-growing investment destinations, driven by national strategies for diversifying away from oil.
Germany's in the crosshairs of Russian operations – and Moscow shows no hesitation to kill
cross-posted from: mander.xyz/post/43244142
A new joint assessment by the Federal Office for the Protection of the Constitution (BfV) and the Federal Criminal Police Office (BKA) aims to dispel any remaining scepticism among those who still fail to recognise the threat from Russia.The document [is] not yet public ... The weekly newspaper Spiegel obtained a draft and outlined its main findings [links to article in German]. The 30‑page analysis details cases of disinformation, espionage, sabotage, subversion and political influence operations in Germany.
The study covers the period from July 2024 to June 2025, also examining the consequences of earlier incidents. In just the first six months of 2025, 143 suspected acts of sabotage were recorded – an upward trend.
...
“The central conclusion: Germany is at the heart of hybrid threats. They emanate not only from Russia, but above all from Russia,” Spiegel writes. The aim of hybrid operations is to foster a sense of insecurity and destabilise the state. The analysis suggests that various incidents that have shaken Germany form a chain of hybrid attacks either orchestrated or exploited by Russia.
A recent public hearing with all three German intelligence agencies likewise concluded that Russia is the primary actor behind sabotage and subversive activity in the country.
...
Another key finding: in planning acts of sabotage, Russia shows no hesitation in taking lives. One example concerns an attack in the logistics sector with links to Lithuania.
In July 2024, incendiary devices were sent by DHL aircraft from Lithuania to the UK and Germany. A major disaster was narrowly avoided: the parcels did not make it onto the intended aircraft because it was delayed. The devices ignited in DHL’s Leipzig warehouse instead.
Investigators believe so‑called single‑use agents – individuals recruited via channels such as Telegram and given limited information – were used in Lithuania and other countries to carry out such operations.
Low‑level agents, often drawn from the criminal underworld, are suspected in other cases too – including a 2024 attempt to cast a shadow over then Vice‑Chancellor Robert Habeck and his Green Party. Hundreds of exhaust pipes were clogged with expanding foam, and cars were plastered with stickers featuring Mr Habeck’s image. These actions are seen as an attempt to influence the Bundestag election campaign.
...
The report also identifies tools of political influence, such as the pro‑Russian platform Voice of Europe, through which pro‑Kremlin members of the European Parliament were allegedly financed. AfD MEP Petr Bystron is among those investigated over suspected payments from the portal.
Security agencies also point to the instrumentalisation of violent attacks on German society for propaganda purposes. After the fatal attack at Magdeburg’s Christmas market last December, Russian channels used the incident to discredit the German government and praise the AfD as a “positive alternative”, fuelling social tension and seeking to shift Germany’s political course.
...
Germany's in the crosshairs of Russian operations – and Moscow shows no hesitation to kill
Germany has spent recent days showcasing its new defence capabilities – unveiling a system capable of intercepting ballistic missiles and preparing to open a centre dedicated to countering drone threats.Vytenė Banser, LRT.lt (lrt.lt)
How the US freight rail industry got dirtier than coal power plants
U.S. freight railroads are a major source of pollution, chuffing out more nitrogen oxide, the primary component of smog, than all the nation’s coal-fired power plants combined, according to a Reuters calculation using government data.
"Key target of Beijing’s influence:" Berlin should strengthen its laws and enhance coordination among authorities to combat China’s repression on German soil, study warns
cross-posted from: mander.xyz/post/43242104
You can download the study here: No sense of safety under heaven...
Beyond individual intimidation, the study highlights how these pro-China diaspora networks try to influence local politics. Community groups and lobbyists aligned with Beijing work to shape debates in foreign parliaments, cultivate alliances and strengthen what the author, Ray Wong, calls a “repressive nationalist diaspora.” Such efforts, the study warns, do more than target individuals: they erode basic rights and shift political environments in ways favorable to China’s foreign policy objectives.
...
Current [German] legislation does not yet clearly address harassment, coercion or intimidation carried out by non-state actors acting on behalf of a foreign government. As a result, some dissidents living in Germany - including Uyghur, Tibetan, Hong Kong and mainland Chinese activists - may face gaps in protection. Enhancing the legal framework, the study suggests, would help ensure that all individuals on German soil can fully rely on the country’s commitment to safeguarding fundamental rights.
...
The study acknowledges Germany’s strong emphasis on victim protection and crisis response, but notes that these efforts could be further strengthened through more robust preventive measures. Enhancing legal tools to address foreign-directed surveillance and harassment, it suggests, would help ensure that critics are better protected and that authorities are fully equipped to respond effectively.
...
The author also calls for a central coordinating authority to link intelligence services, law enforcement, foreign policy units and victim support agencies. Such coordination, the study suggests, would enable Germany to respond even more effectively to emerging challenges and align more closely with other democracies that are enhancing their approaches to foreign interference.
Ultimately the study serves as a stark reminder: the battleground over fundamental rights is no longer limited by geography. Taking proactive steps, it suggests, would not only strengthen Germany’s national security but also reinforce the country’s longstanding commitment to human rights and democracy at home.
PUBLICATION: China’s Repression on German Soil, Transnational Repression
China’s efforts to silence critics far beyond its borders have become a feature of its global reach. A new study commissioned by the Friedrich Naumann Foundation for Freedom warns that Germany - home to one of Europe’s largest Chinese diaspora commun…Friedrich Naumann Foundation
Body parts of baby found in freezer at Tokyo adult entertainment business
Body parts of baby found in freezer at Tokyo adult entertainment business
An employee of the business found the baby's head when he was cleaning a refrigerator in an office. Read more at straitstimes.com.ST
Water leak in the Louvre damages hundreds of works, museum says
Open valve in heating system affects 300 to 400 items just weeks after a brazen jewel theft raised security concerns
A water leak in late November damaged several hundred works in the Louvre’s Egyptian department, the Paris museum said on Sunday, weeks after a brazen jewel theft raised concerns over its infrastructure.
“Between 300 and 400 works” were affected by the leak discovered on 26 November, the museum’s deputy administrator, Francis Steinbock, said, describing them as “Egyptology journals” and “scientific documentation” used by researchers.
The damaged items dated from the late 19th and early 20th centuries and were “extremely useful” but “by no means unique”, Steinbock added.
like this
These weren't really attracts. These were journals kept by archeologists much more recently.
And quite honestly, the artifacts would be in better hands with the people from whom they were stolen.
Does the Louvre actively refuse all attempts to retrieve original works and tell the requestors the fuck off the way the British Museum does?
From my understanding that's more of a British-specific problem, not most museums in general.
China is buying Russian sanctioned military hardware to prepare for a Taiwan invasion, leaked documents show
cross-posted from: mander.xyz/post/43239009
Web archive linkHere are the documents (in Russian).
- After Russia launched its full-scale war against Ukraine, China decided to purchase Russian aircraft, combat vehicles, ammunition, and equipment to enhance its paratroopers.
- Chinese officers and representatives of defense manufacturers have repeatedly visited Russia to inspect examples of weaponry and negotiate deals.
- In 2023 and 2024, Beijing entered into several confidential contracts with Moscow to acquire Russian armaments, with the funds intended for Russian arms manufacturers being subject to international sanctions.
- The known deadline for implementing some of the contracts is 2027.
- The Kyiv Independent has identified several dozen Chinese military personnel and employees of arms manufacturers who continued to cooperate with the Russian arms industry, thereby violating international sanctions.
...
A little over a month after Russia's full-scale invasion of Ukraine in 2022, the Russian government received a request from China, according to leaked correspondence reviewed by the Kyiv Independent.
In it, Beijing asked to buy a set of weapons and armored vehicles for airborne troops. The request, numbered ZH2022-Y53, was received on April 7, 2022, the documents show.
Three weeks later, according to the documents, Russia's Federal Service for Military-Technical Cooperation instructed Rosoboronexport, the state-owned company responsible for all arms exports from Russia, to demonstrate Russian air-droppable combat vehicles to a Chinese delegation.
...
The agreements are set to provide sanctioned Russian arms manufacturers with revenue from the export of their weaponry to China. In return, China will receive weaponry and equipment for its airborne forces, the PLAAF Airborne Corps, which have been strengthening amid expectations of an attack on Taiwan.
...
A key element of the cooperation is the steady flow of Chinese officers and defense industry officials who have been traveling to Russia since 2023 for closed-door talks. By piecing together leaked Russian documents with photos and travel data, the Kyiv Independent was able to identify many of these previously anonymous visitors by name and rank.
Chinese Major General Fan Jianjun was photographed during his visit to the annual Russian arms forum in the Moscow suburbs in August 2023. He was pictured showing then-Russian Defense Minister Sergei Shoigu models of Chinese weaponry.
Fan Jianjun represented China's highest military authority, the Central Military Commission of the People's Republic of China (PRC). In 2023, he led the Bureau of Military Equipment and Technical Cooperation within the Equipment Development Department of the PRC Central Military Commission.
The Bureau's procurement division purchases imported weapons and equipment for China, including from Russia.
None of the Russian media that covered the event mentioned who was in the photo next to Shoigu.
...
Investigation: Secret visits to Moscow by China’s military expose deep defense cooperation, military procurement deals
Key findings: * After Russia launched its full-scale war against Ukraine, China decided to purchase Russian aircraft, combat vehicles, ammunition, and equipment to enhance its paratroopers.Alisa Yurchenko (The Kyiv Independent)
like this
- YouTube
Profitez des vidéos et de la musique que vous aimez, mettez en ligne des contenus originaux, et partagez-les avec vos amis, vos proches et le monde entier.www.youtube.com
A Journalist Reported From Palestine. YouTube Deleted His Account Claiming He’s an Iranian Agent.
IN FEBRUARY 2024, without warning, YouTube deleted the account of independent British journalist Robert Inlakesh.
His YouTube page featured dozens of videos, including numerous livestreams documenting Israel’s military occupation of the West Bank. In a decade covering Palestine and Israel, he had captured video of Israeli authorities demolishing Palestinian homes, police harassing Palestinian drivers, and Israeli soldiers shooting at Palestinian civilians and journalists during protests in front of illegal Israeli settlements. In an instant, all of that footage was gone.
In July, YouTube deleted Inlakesh’s private backup account. And in August, Google, YouTube’s parent company, deleted his Google account, including his Gmail and his archive of documents and writings.
The tech giant initially claimed Inlakesh’s account violated YouTube’s community guidelines. Months later, the company justified his account termination by alleging his page contained spam or scam content.
However, when The Intercept inquired further about Inlakesh’s case, nearly two years after his account was deleted, YouTube provided a separate and wholly different explanation for the termination: a connection to an Iranian influence campaign.
A Journalist Reported From Palestine. YouTube Deleted His Account Claiming He’s an Iranian Agent.
YouTube offered conflicting explanations for deleting the account of Robert Inlakesh, who covered Israel’s occupation of the West Bank.Jonah Valdez (The Intercept)
like this
like this
"independent British journalist Robert Inlakesh"
I guess they can just decide that anyone they don't like is Iranian and remove them.
I think the youtube removal is a load of crap, dont get me wrong...
... But yes, the british part means nothing. You can have russian spies act like american journalists too. Welcome to international espionage and infiltrations. Stuff like that has happened since the middle ages :')
Israeli surveillance targets US and allies at joint base planning Gaza aid and security, say sources
Israeli operatives are conducting widespread surveillance of US forces and allies stationed at a new US base in the country’s south, according to sources briefed on disputes about open and covert recordings of meetings and discussions.
The scale of intelligence gathering at the Civil-Military Coordination Center (CMCC) prompted the US commander of the base, Lt Gen Patrick Frank, to summon an Israeli counterpart for a meeting to tell him that “recording has to stop here”.
Staff and visitors from other countries have also raised concerns about Israel recording inside the CMCC. Some have been told to avoid sharing sensitive information because of the risk it could be collected and exploited.
"The IDF documents and summarises meetings in which it is present through protocols, as any professional organisation of this nature does in a transparent and agreed upon manner,” the Israeli military said in a statement.
“The claim that the IDF is gathering intelligence on its partners in meetings which the IDF is an active participant is absurd.”
Israeli surveillance targets US and allies at joint base planning Gaza aid and security, say sources
Concerns over recording of meetings at coordination centre excluding Palestinians that was set up to provide support for Trump’s Gaza planEmma Graham-Harrison (The Guardian)
like this
Israel is going out of its way to make people say, "maybe Hitler was on to something."
It's deplorable shit they are doing.
You know a state is fucked up if its alienating the biggest and most powerful terrorist state in the world
Was just browsing reddit and the amount of israeli simping is insane.. just the sheer amount of money they have to spend on propaganda campaigns…. dismantle the terrorist dystopian state and the ideology its based on, one palestinian state with equal rights for all
The hidden Kenyan workers training China’s AI models
- Chinese AI companies are quietly tapping into Kenya’s young workforce, hiring students and recent graduates to label thousands of videos a day.
- The work is done through opaque networks of middlemen and WhatsApp groups that operate like digital factory floors.
- Kenya’s weak labor protections and soaring youth unemployment have made it a hot spot for cheap AI labor, prompting officials and unions to warn of a new form of digital colonialism as the government rushes to draft regulations.
Chinese tech companies hire Kenyan workers for AI training - Rest of World
Unemployed young people are hired over WhatsApp for low-wage data labeling jobs.Munira Mutaher (Rest of World)
Of course, it's not a good thing when anyone does it.
And isn't everything? We rely on the most exploited at the lowest levels to provide our raw resources. The whole global system is fucked.
True that brother. I make way less than what I should be making. in the summer when I'm whored out I make $40 base. Rest of the year or internal work I'm making $26
i can go independent and charge $120+ an hour but it's hard to get clients when the two big players will purposely go out of their way to fuck you over.
A Chinese dissident died suddenly in B.C. This ex-spy who snooped on him says it may not have been an accident
A man who spent a decade and a half working as a Chinese spy has shared details of some of his missions with Radio-Canada, including what he knows about a Chinese dissident who died in B.C. in 2022.
"From 2008 to 2023, my real job was to work for China's secret police. It's a means for political repression," said "Eric," who was interviewed in the suburbs of Melbourne, Australia. "Its main targets are dissidents who criticize the Chinese Communist Party."
Eric shared a variety of documents — including financial records, secret money transfers and the names of spies — with journalists from the Australian Broadcasting Corp. and the Washington-based International Consortium of Investigative Journalists, of which CBC/Radio-Canada is a partner.
For example, while on assignment in Cambodia, his cover was with the Prince Group, a multibillion-dollar conglomerate with interests in real estate and financial and consumer services. (The company did not reply to messages from Radio-Canada.)
In 2020, Eric said he was tasked with snooping on a dissident named Hua Yong, an artist and hardcore opponent of China's Communist Party who eventually ended up on B.C.'s Sunshine Coast.
(The Chinese Embassy in Ottawa did not reply to multiple messages about the details of this story, including an interview request.)
like this
Japan's JERA signs first long-term LNG export deal with India's Torrent Power
Japan's JERA signs first long-term LNG export deal with India's Torrent Power
NEW DELHI, Dec 8 : Japan's top power generator JERA has signed its first long-term liquefied natural gas export deal with India's Torrent Power to deliver 4 LNG cargoes annually for 10 years from 2027, the Japanese company said on Monday.CNA (Channel NewsAsia)
Mozilla’s Betrayal of Open Source: Google’s Gemini AI is Overwriting Volunteer Work on Support Mozilla
Mozilla’s Betrayal of Open Source: Google’s Gemini AI is Overwriting Volunteer Work on Support Mozilla
TL;DR: Mozilla’s translation bot on Support Mozilla (that is currently overwriting user contributions is based on the closed source, copyright infringing LLM, Google Gemini.Youssuff Quips
like this
Time to switch to LibreWolf or something else.
Can I use that to sync passwords, history, etc. between phone and PC in some way of form, even if self-hosted?
Cruise ship departure delayed by a day after bananas fall overboard
Cruise ship departure delayed by a day after bananas fall overboard
Eight of the containers were reported as carrying bananas, two as carrying plantain, one as carrying avocadosDan Haygarth (The Independent)
Wow, that's a terrible article. They just repeated three times that stuff fell into the sea, and the cruise ship is stuck for at least a day.
They implied the stuff fell off the cruise ship, but they don't actually say it.
They implied that the stuff was undeclared, but don't actually say it.
They don't actually say why the cruise ship is stuck. Are the containers blocking the ship from leaving? Are they stuck cause they had undeclared fruit and they need to be held for paperwork/questions? Are they held cause they're not sure if something else will fall from the ship?
I wouldn't be surprised if this article was entirely written by AI with no editing.
like this
They didn’t fall off the cruise ship, but off of a container ship nearby.
Sixteen containers fell from a cargo ship near the Nab tower lighthouse off Bembridge, Isle of Wight, at around 6pm on Saturday.
The cruise ship is stuck because the container ship needs to recover the containers to protect the environment (and they don’t explicitly say, but moving a cruise ship through the harbor will kick up sediment and might damage the containers).
Still relevant, hasnt changed much after 2 years
Lemmy Needs to Fix Its Community Separation Problem
For the unaware, is a alternative to platforms such as Reddit and Tildes. I've been using Lemmy as one of my main social platforms for the past 6 months...Popcar's Blog
like this
Technically, I agree.
Practically, I myself have experienced several fragmented communities about the same topic with similar ethos. This was not a healthy separation based on different norms. It was simple, ineffective fragmentation. Or, at least the ethos and norms differences wasn't clear.
I feel like it is just a matter of time before either:
- The fragmented communities develop more and become distinct, so that they are more unique and shouldn't merge.
- One of the communities becomes the more popular "default" option, and the other becomes less active as people gather in the more popular one.
Even if that doesn't happen, redundancy isn't bad. We've seen how hard it is to migrate when there's only 1 real option and that option disappears or goes bad for some reason (i.e. reddit). If there was another fairly active community with the same focus, that would make it easier to keep going. That's part of why decentralization is good.
Russia increases recruitment of foreign fighters through targeted social media campaigns - drawing foreigners into front-line combat roles in Ukraine despite promises of 'safe service'
cross-posted from: mander.xyz/post/43232410
...Russia has ramped up its recruitment of foreign fighters through a targeted social media campaign, offering citizenship and money to those who join its fight.
...
The promise of roles away from the front line are aimed at enticing people to sign up, but experts [like] Sascha Bachmann, a professor in law and security at the University of Canberra, said the promise of safe service was "not true".
"Russia is trying to close a manpower gap. They sign people up for a promised non-combat role but they then end up as part of Moscow's meat grinder," he said.
"It is deception."
Data sourced by OpenMinds, a defence tech company, shows that by mid-2025, one in three contract announcements posted by Russian government pages was aimed at foreigners.
In total, the number of these posts has risen to more than 4,500 a month from less than 100 in early 2024.
...
Dr Bachmann believed the main reason Russia had increased recruitment efforts abroad was because it "has real problems recruiting from within its population".
Dr Bachmann called it "cognitive domain propaganda", which he said refers to military activities that are designed to affect the attitude of the public.
"Russia is very interested in having more foreign volunteers … because then they can say they have common power, more boots on the ground. It helps them form a fresh narrative," he said.
...
In one of the social media posts, a phone number is provided and people in Belarus, Kazakhstan, Uzbekistan, Serbia, Kyrgyzstan, Africa, India and others are encouraged to call.
However, residents of other countries have been targeted too, including China, India, Iraq, Egypt, Yemen, Jordan, Bangladesh and others in Asia, and the Middle East.
...
ABC News
ABC News provides the latest news and headlines in Australia and around the world.Lewis Wiseman (Australian Broadcasting Corporation)
like this
Putin arrest warrant will stand even if US-led peace talks agree Ukraine amnesty, ICC prosecutors say
cross-posted from: mander.xyz/post/43231856
International Criminal Court [ICC] arrest warrants for President Vladimir Putin and five other Russians accused of war crimes in Ukraine will stay in place even if a blanket amnesty is approved during U.S.-led peace talks, ICC prosecutors said on Friday.Deputy prosecutors Mame Mandiaye Niang of Senegal and Nazhat Shameem Khan of Fiji, who have been responsible for investigations at the court since the chief prosecutor went on leave, said a United Nations Security Council resolution would be required to suspend court-issued warrants.
...
The ICC issued an arrest warrant for Putin and the other five over their alleged roles in atrocities during the war that began with Russia's 2022 invasion of Ukraine. Putin and Russian Child Rights Commissioner Maria Lvova-Belova face allegations of illegally deporting hundreds of children from Ukraine.
...
Among other high-profile Russian suspects sought by the International Criminal Court are Sergei Shoigu, the former defence minister, and Russian general Valery Gerasimov, who are wanted for alleged war crimes and crimes against humanity for attacks on civilians.
...
"If there is a peace deal which then leads the Security Council to ask us to defer an investigation, then that's a matter - that's a political process for the Security Council. But as far as we're concerned...at the end of the day, it does not stop the way that justice is delivered," Deputy Prosecutor Khan said, citing the court's founding Rome Statute.
...
Deputy Prosecutor Niang said that "apart from the bracket we mentioned in respect of the Security Council route, we are obligated to observe our statute, which does not give weight to some of those political arrangements".
...
Ukraine's ambassador to the Netherlands, Andriy Kostin, who previously served as its prosecutor general, dismissed the idea of a blanket amnesty. "...With such mass atrocities committed in the course of these years, it's impossible to grant impunity for all those responsible, all those who committed these crimes and who ordered the commission of these crimes," he [said].
...
like this
What are Ukrainian children doing in North Korea? -- [Opinion]
cross-posted from: mander.xyz/post/43231602
Web archive linkThe regime of North Korea has continued to exploit the war in Ukraine to spread its propaganda. This week we learnt that Ukrainian children, abducted by Russia, are being sent to an infamous North Korean summer camp. The children have reportedly been taught to ‘destroy Japanese imperialists’ and heard from North Korean soldiers who destroyed the USS Pueblo, a spy ship captured and sank by North Korea in 1968.
This Ukrainian children have been at the Songdowon International Children’s Camp, located near the port city of Wonsan on the country’s east coast. Well known as a popular tourist hotspot for North Korean elites, Wonsan has recently gained infamy for the newly-opened Wonsan-Kalma tourist resort, which has been not-so-affectionately nicknamed ‘North Korea’s Benidorm’. Wonsan, too, has a significant place in North Korean history. It was where Supreme Leader Kim Jong Un spent much of his childhood.
The children’s camp is hardly a new creation. Established in 1960 amid the backdrop of the Cold War, the camp became one additional facet of North Korean cultural diplomacy, as Pyongyang sought to develop ties with communist and communist-friendly countries. Whether from North Korea’s Cold War patrons of Russia and China or communist-sympathising states further afield, such as Laos, Tanzania and even Syria, children would be sent to the camp to engage in a range of activities, including cooking, swimming, rock climbing, or marathon running. For the North Korean regime, the goal was simple: spread the virtues of socialism, North Korea-style, and become friends with like-minded states.
...
Although little is known about the Ukrainian abductees sent to North Korea, cooperation between Pyongyang and Moscow in areas beyond security looks to continue to grow, especially as peace in Ukraine looks evermore elusive. North Korea and Russia signed a mutual defence pact in June 2024, but these renewed ties were not limited to the domain of security. It was no coincidence that only a week after the ink was dry, Grigory Gurov, Head of the Russian Federal Agency for Youth Affairs, announced that around 250 Russian children, mainly from the Russian Far East, would visit Songdowon, making them one of the first groups to visit the camp following North Korea’s draconian three-year border closure, owing to coronavirus, in January 2021.
...
Russia and North Korea are yet to respond to the reports that Ukrainian abductees are being sent to Songdowon. Pyongyang will probably just say the children were participating in a cultural exchange – helping out an ally. We need only go back to February this year when Russia’s ambassador to North Korea, Alexander Matsegora, announced that how ‘hundreds of wounded [Russian] soldiers’ fighting against Ukraine were being treated in North Korean hospitals, epitomising the ‘brotherly attitude’ between the two Cold War allies.
What are Ukrainian children doing in North Korea?
The regime of North Korea has continued to exploit the war in Ukraine to spread its propaganda. This week we…Edward Howell (The Spectator Australia)
like this
Israel’s biggest defence company suspended by NATO amid corruption probe
Israel’s largest defence company, Elbit Systems, has been suspended by NATO’s procurement agency amid a major corruption probe, Follow the Money and its media partners La Lettre, Le Soir, and Knack can reveal.
The NATO Support and Procurement Agency (NSPA) is at the centre of a wide-ranging graft scandal, with current and former staff under investigation for bribery. Several suspects were arrested in May in police raids across seven nations, including Belgium and the U.S.
FTM has also learned that a key figure associated with Elbit – an Italian citizen identified as Eliau E. – is wanted internationally for his alleged role in bribing NSPA staff.
Elbit is Israel’s biggest arms manufacturer, with a turnover of almost 7 billion dollars in 2024. The Haifa-based company – which makes drones, tanks and ammunition, among other military equipment – ranks 25th on the list of the world’s 100 largest defence companies compiled by the Stockholm International Peace Research Institute (SIPRI).
https://www.ftm.eu/articles/israel-defence-elbit-systems-suspended-nato-corruption-investigation
Katy Perry and Justin Trudeau make their relationship Instagram official
Katy Perry and Justin Trudeau make their relationship Instagram official
The singer posted a photo of the pair smiling cheek to cheek and a video of them eating sushi together while in JapanJessica O'Bryan (The Guardian)
like this
Went from dating the lead singer of an emo/rap band that was a Fall Out Boy side project to former Prime Minister of Canada.
Hey I kinda liked Gym Class Heroes.
Australian government prepares social media ban amid opposition to privacy and free speech violation
Australian government prepares social media ban amid opposition to privacy and free speech violation
The ban is not a child welfare measure but a direct intervention by the state to dictate how ordinary people will be allowed to use the internet.World Socialist Web Site
like this
Not a single government today is beholden to its citizens.
We are all cattle and donkeys so people richer than us can live like gods.
Ironically, if age estimation was done via usage history algorithms, it'd be a much more privacy preserving technique than literally scanning your face or ID into a website that then hands it off to a barely known biometrics company so you can keep using your account...
It's so strange how this legislation apparently is supposed to safeguard the safety of kids on the internet, but hands tremendous risk to adults who verify, or parents who's kids sneakily took their ID to verify their accounts, since it seems that we may be the cyberattack victim capital of the world; see Qantas, Lattitude Financial, Optus, Medibank, and so on until the end of time.
Bosch Rexroth workers in Scotland to strike for a week against pay cuts
Bosch Rexroth workers in Scotland to strike for a week against pay cuts
Over 280 workers at Bosch Rexroth's plant in Glenrothes, Scotland, are to strike for a week from Monday against a cut in pay and working hours. The Bosch parent company is planning to sack 22,000 workers as the European car industry faces collapse.World Socialist Web Site
Tankie / red fash source!
If workers went on strike in China, Russia or Venezuela they would be calling it a CIA op!
Does Bonfire have any public instances?
is for testing Bonfire Social, the microblogging part. (This one not federated)
Creative workers on the affects of AI on their jobs
I do retouching work. Recently lost a client to an 'AI' retouching firm. When the client came back to me to fix loads of stuff and I looked at the output, it became apparent that the work had actually just been outsourced to India and there was no magic AI solution.
Gen AI is an amazing tool but not a one click solution like so many are claiming.
With Hollywood strapped for cash, Saudi Arabia is re-emerging as a key financial backer
Hollywood is feeling the lure of Saudi Arabian money (...)Saudi money is also behind a portion of Paramount Skydance’s more than $60 billion bid this week for Warner Bros Discovery, according to Variety, which cites multiple sources, and Bloomberg, which cited people familiar with the discussions. A spokesperson for Paramount declined to comment.
Additionally, the kingdom is backing a $1 billion new independent content studio called Arena SNK launched in October by former Lionsgate executive Erik Feig, and a $55 billion deal for video game maker Electronic Arts announced in September. A representative for Feig declined to comment.
Executives from Sony traveled to Saudi Arabia this fall for meetings, a spokesperson confirmed. Comcast CEO Brian Roberts also traveled to the country this fall to attend a conference and view a potential theme park site in Qiddiya, a tourism megaproject in Riyadh province, according to a source with knowledge of Roberts’ trip who was not authorized to speak on the record about it. (Comcast owns NBCUniversal, which is the parent company of NBC News.)
The Red Sea Film Festival 2025 is going on right now (Dec 4-13). The glitterati are partying with Saudi royalty & following the money while blithely ignoring Saudi human rights abuses
With Hollywood strapped for cash, Saudi Arabia is re-emerging as a key financial backer
Hollywood is feeling the lure of Saudi Arabian money.Rebecca Keegan (NBC News)
like this
Thailand launches airstrikes on Cambodia as Trump’s peace agreement hangs in balance
Thailand launched airstrikes against Cambodia on Monday as a new wave of fighting erupted between the southeast Asian neighbors, marking the potential collapse of a peace plan presided over by Donald Trump just two months ago.
Both sides accused the other of launching strikes along their disputed border Monday morning, after weeks of simmering tension and the earlier suspension of progress on the ceasefire agreement by Thailand.
https://www.cnn.com/2025/12/07/asia/thailand-cambodia-border-clashes-december-intl-hnk
like this
Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs
Weird Generalization and Inductive Backdoors: New Ways to Corrupt LLMs
LLMs are useful because they generalize so well. But can you have too much of a good thing? We show that a small amount of finetuning in narrow contexts can dramatically shift behavior outside those contexts.arXiv.org
adhocfungus likes this.
Samsung to halt SATA SSD production, leaker warns of up to 18 months of SSD price pressure, worse than Micron ending consumer RAM
Samsung to halt SATA SSD production, leaker warns of up to 18 months of SSD price pressure, worse than Micron ending consumer RAM
Samsung is reportedly preparing to wind down its SATA SSD business, and a notable hardware leaker warns the move could have broader implications for consumer storage pricing than Micron’s decision to end its Crucial RAM lineup.Yetnesh Dubey (Notebookcheck)
Hundreds of works in the Louvre damaged by flooding
Hundreds of works in the Louvre damaged by flooding
Hundreds of works were damaged at the Louvre in Paris when a pipe burst because of flooding, the museum’s deputy general administrator saidMarlene Lenthang (NBC News)
like this
Kamakura City to suspend Slam Dunk manga licence plates as measure to help combat overtourism
Kamakura City to suspend Slam Dunk manga licence plates as measure to help combat overtourism
The Kamakura government also deployed security personnel to ensure the safety of local residents. Read more at straitstimes.com.ST
Not receiving Hubzilla confirmation tokens?
@Meow-Misfit cant find the first one and the second one is not upto date #^trinidad.social/siteinfo shows hubzilla v8.2, latest is 10.6.1
you might want to choose from a hub that runs latest hubzilla and is open to public from here
, #^hubzilla.org/pubsites
Trump administration says Europe faces 'civilisational erasure'
President Donald Trump's administration has warned that Europe faces "civilisational erasure" and questioned whether certain nations can remain reliable allies, in a new strategy document that puts a particular focus on the continent.
The 33-page National Security Strategy sees the US leader outline his vision for the world and how he will wield US military and economic power to work towards it.
Trump described the document as a "roadmap" to ensure America remains "the greatest and most successful nation in human history".
European politicians have begun to react, with Germany's Foreign Minister Johann Wadephul saying his country did not need "outside advice".
A formal National Security Strategy is typically released by presidents once each term. It can form a framework for future policies and budgets, as well as signalling to the world where the president's priorities lie.
The new document follows similar rhetoric to Trump's speech to the United Nations earlier this year, where he had harsh criticism for Western Europe and its approach to migration and clean energy.
The new report doubles down on Trump's point of view, calling for the restoration of "Western identity", combatting foreign influence, ending mass migration, and focusing more on US priorities such as stopping drug cartels.
Focusing on Europe, it asserts that if current trends continue the continent would be "unrecognisable in 20 years or less" and its economic issues are "eclipsed by the real and more stark prospect of civilizational erasure".
"It is far from obvious whether certain European countries will have economies and militaries strong enough to remain reliable allies," the document states.
It also accused the European Union and "other transnational bodies" of carrying out activities that "undermine political liberty and sovereignty", said migration policies were "creating strife" and said other issues included "censorship of free speech and suppression of political opposition, cratering birthrates, and loss of national identities and self-confidence".
Conversely, the document hails the growing influence of "patriotic European parties" and says "America encourages its political allies in Europe to promote this revival of spirit".
The Trump administration has fostered links with the far-right AfD party in Germany, which has been classified as extreme right by German intelligence.
The document says there must be a readjustment of "our global military presence to address urgent threats in our Hemisphere". To do this, the strategy calls for moving assets away from theatres which are less important to American national security than they once were.
This re-prioritising of military power can be seen already in the Caribbean, where the US military has a growing presence and has carried out repeated deadly strikes on boats which the government alleges are carrying drugs. The world's largest warship, the USS Gerald Ford, is currently based in the Caribbean along with its strike group.
It's true, Europe should crush troll farms, shut down political parties funded by foreign fascists, and break up media monopolies.
Of course, none of these actions is what Trump wants.
LIVE: Israel attacks Gaza with artillery and air strikes despite ceasefire
Updates: Israel attacks Gaza as Palestinian man shot dead in West Bank
Helicopter gunship and artillery fire hit major cities in north and south Gaza as Israeli truce violations continue.Virginia Pietromarchi (Al Jazeera)
Docker security
You're probably already aware of this, but if you run Docker on linux and use ufw or firewalld - it will bypass all your firewall rules. It doesn't matter what your defaults are or how strict you are about opening ports; Docker has free reign to send and receive from the host as it pleases.
If you are good at manipulating iptables there is a way around this, but it also affects outgoing traffic and could interfere with the bridge. Unless you're a pointy head with a fetish for iptables this will be a world of pain, so isn't really a solution.
There is a tool called ufw-docker that mitigates this by manipulating iptables for you. I was happy with this as a solution and it used to work well on my rig, but for some unknown reason its no-longer working and Docker is back to doing its own thing.
Am I missing an obvious solution here?
It seems odd for a popular tool like Docker - that is also used by enterprise - not to have a pain-free way around this.
Packet filtering and firewalls
"How Docker works with packet filtering, iptables, and firewalls"Docker Documentation
like this
It doesnt actually bypass the firewall.
When you tell docker to expose a port on 0.0.0.0 its just doing what you ask of it.
I guess if you moved your dockers too the public zone you could get in trouble
frongt
in reply to lime! • • •lime!
in reply to frongt • • •diegantobass
in reply to lime! • • •rollerbang
in reply to diegantobass • • •like this
DaGeek247 likes this.
lime!
in reply to diegantobass • • •like this
DaGeek247 likes this.
GreenCrunch
in reply to lime! • • •diegantobass
in reply to GreenCrunch • • •GreenCrunch
in reply to diegantobass • • •I am not sure lol. perhaps your ssh port isn't exposed to the internet, or maybe the bots are just ignoring you? maybe your hosting provider has some sort of security process to reject those attempts preemptively?
I have no clue
diegantobass
in reply to GreenCrunch • • •teawrecks
in reply to diegantobass • • •diegantobass
in reply to teawrecks • • •teawrecks
in reply to diegantobass • • •diegantobass
in reply to teawrecks • • •Low hanging fruits are, in my personal case, pictures of my cats and public domain cultural artefacts.
Industrializing hacking of random servers sounds like a shitty idea at the end of the day...
teawrecks
in reply to diegantobass • • •The ability to generate a bunch of traffic that looks like it's coming from legit, every-day residential IPs is invaluable to disinformation campaigns. If they can get persistence in your network, they can toss it into a bot net which they'll sell access to on the dark web.
A sucker opens insecure services to the open internet every day, that's free real estate to bot farms. Only when the probability of finding them is low enough is it not worth the energy/network costs. I think hosting on non-standard ports is probably correlated with lowering that probability below some threshold where it becomes not worth it...don't quote me, though.
At the end of the day, the rule is not to depend on security by obscurity, but that doesn't mean never use it.
diegantobass
in reply to teawrecks • • •This whole thread (that I shamelessly hijacked) is very informative and allowed me to understand that cybersecurity is in practice a mixture of concrete nerdy log books and vague feeling of being under a threshold of worthiness.
I woke up this morning and there was a faint noise coming from the server: immediately thought "ok that's it, it's pawned and become a node in a vast grid of malicious bots"....it was a cron verification of drives
teawrecks
in reply to diegantobass • • •Hah yeah, I've definitely pulled the plug on my router before because I wasn't sure what I was seeing.
I mean, cybersecurity I would consider to be a research field. In practice, yeah, it's a bunch of people just doing their best.
I tend to keep everything inside my network and only expose what I need visible on non standard ports, one of those being a VPN. It's not that I couldn't run these services public facing, it's that the people taking the time to constantly update, configure, and auditing everything full time to head off red team are being paid. I don't need to deal with an attack surface any larger than it needs to be, ain't nobody got time for that.
4am
in reply to diegantobass • • •Allowing external access to your services means that any misconfiguration or bugs can be exploited to gain control of your machine(s).
Once that happens they can be fucked with, your data stolen, your resources co-opted for someone else’s use, etc. and often times it can be made to look as though whatever bad shit it’s doing is your doing.
So, understand your security posture. You can’t be too careful. Taking over weak or exposed machines is a global industry now.
like this
DaGeek247 likes this.
Ricaz
in reply to 4am • • •planish
in reply to 4am • • •But you can, in fact, be too careful. Availability is one arm of the security triad.
If whatever complex configuration you have set up to avoid exposing something to the Internet is incompatible with something and what you wanted to do can't be done, or if you look and see that setting all that up would be too hard and don't bother to expose the service at all, then your security posture is incorrect because your service is just as unavailable as if someone else broke it.
aichan
in reply to diegantobass • • •like this
wagesj45 likes this.
diegantobass
in reply to aichan • • •Okay thanks for mentionning overblown paranoia, that's what I have.
What kind of exploitable server misconfigurations are we talking about here?? Brute forcing won't work because fail2ban, right? I'm a noob and deep down I'm convinced that my homeserver is compromised and has beenpart of a bitcoin mining farm for years... Yet, not a single proof...
irmadlad
in reply to diegantobass • • •The very first Linux server I deployed on a VPS was hacked almost immediately because of my ignorance. The bot gained entrance, and they supplanted a miner rig. Now, on a tiny VPS, it's pretty easy to tell if you're running a coin miner because all of the resources will be pegged. However, I got to thinking, on a corporate server, if they did manage to do this, it would almost be undetectable until someone started reviewing logs.
Ricaz
in reply to irmadlad • • •FreedomAdvocate
in reply to diegantobass • • •diegantobass
in reply to FreedomAdvocate • • •Yeah sorry I missed the part where it has no authentification whatsoever, that's just open bar.
Authentification + monitoring + fail2ban + ip blacklist
LiveLM
in reply to diegantobass • • •gdog05
in reply to LiveLM • • •irmadlad
in reply to LiveLM • • •Danitos
in reply to diegantobass • • •nublug
in reply to lime! • • •EDIT: ddns does not work behind cgnat, only vpns and cloudflare tunnels do. my bad.
cgnat is doable with a dynamic dns service. you sign up free at duckdns, freedns, or desec, set up the subdomain you want (example.dedyn.io), install or host in a container a small ddns tool that will periodically (5 min typically) check what your current ip is and update your dns record with that dns service automatically with an api. some routers even have a dynamic dns setting so you can do it without a separate install.
as far as security, you'll at a minimum want a long, unique password for any jellyfin accounts, and you should place it behind a reverse proxy like nginx, nginx proxy manager for a gui, caddy, or traeffik for some docker automagic fuckery i still don't understand. i use nginx proxy manager, set up a wildcard *.example.dedyn.io certificate and force ssl on each service i'm forwarding.
you can get fanicer and have an authentication layer self hosted as well like authelia or authentik, but beware that apparently mobile apps and smart tv apps for jellyfin do not play nice because they use the same http port as web access and do not have the ability to pop open a web portal for a secondary auth and will not work with these yet. so it's a good extra layer and 2fa sso addition but only if you use the webgui jellyfin and don't rely on an app, which considering you're asking about casting is probably not your use case.
what else you can do is set up a crowdsec or fail2ban service that will read logs from either the reverse proxy or jellyfin itself and ban ips thru your host firewall that fail to log in to help prevent bots from brute forcing in.
it's not perfect but with a reverse proxy, ip banning tool, and strong, long passwords on jellyfin it should be relatively ok.
however it would probably be most secure to setup an openvpn or tailscale to vpn to your host and have a definitely secure link to jellyfin from everywhere. i don't use these myself so i don't know about limitations this way such as mobile app or smart tv app compatibility, though. and if you want to share with other users it comes with its own security considerations of letting others have a vpn into your host.
hope some of this helps, also there's a cloudflare tunnel thing you can use instead of those dynamic dns services for domain redirect to ip behind cgnat, but i haven't used it either and don't know what all it entails.
good luck!
lime!
in reply to nublug • • •Davel23 likes this.
nublug
in reply to lime! • • •lime!
in reply to nublug • • •spaghettiwestern
in reply to lime! • • •Doesn't IPV6 allow direct external access even when cgnat is in use for IPV4?
cmnybo
in reply to spaghettiwestern • • •lime!
in reply to spaghettiwestern • • •illusionist
in reply to lime! • • •Droolio
in reply to illusionist • • •illusionist
in reply to Droolio • • •Sure, software can always be vulnerable. What's the difference between me consuming it from someone else or my private server?
Plex was running on his private computer, not a dedicated server, right? Windows? His version was 75 versions behind the current version at the time. How could the malware escape the server's/plex' sandbox? With a keylogger? Why wasn't he using a password software? This isn't the best example for your point
Droolio
in reply to illusionist • • •They opened it to the internet - that's the big difference (and the topic at hand). Security is a multi-layered thing, but if your weakest point is a gaping hole, the rest doesn't mean much. To my point - assuming Jellyfin ain't gonna have vulnerabilities even when you're fully up-to-date, is foolhardy.
frongt
in reply to illusionist • • •illusionist
in reply to frongt • • •FreedomAdvocate
in reply to illusionist • • •illusionist
in reply to FreedomAdvocate • • •FreedomAdvocate
in reply to illusionist • • •FreedomAdvocate
in reply to illusionist • • •Droolio
in reply to lime! • • •This video addresses many of the concerns of hosting stuff in public, and details a way (and some tools) to do it relatively securely. (There's always a risk there'll be a zero-day vulnerability in a web application like Jellyfin, but you can mitigate against them if you use the right strategies/tools, and you're vigilant enough.)
Since you're on cgnat, you can set up Pangolin on a VPS, or Tailscale-->rinetd-->Tailscale tunnel, also on a VPS. (Apparently frp is another similar solution, with p2p proxying.)
GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
GitHublime!
in reply to Droolio • • •Droolio
in reply to lime! • • •fleem
in reply to Droolio • • •i like pangolin.
lol ive been saying that too much lately
diegantobass
in reply to Droolio • • •IsoKiero
in reply to lime! • • •Not spesifically helpful with your cgnat-situation, but my jellyfin runs on a isolated network and it's just directly exposed to the internet via named reverse proxy in order to share the library with family and friends. Should someone get access to that they can obviously use the VM for nefarious purposes, but it's a known risk for me and the attacker would need to breach trough either my VLAN isolation or out of the virtual environment to my proxmox host if they wanted to access my actually valuable data.
Sure, there's bots trying every imaginable password combination and such, but in my scenario even if they could breach either the jellyfin server or reverse proxy it's not that big of a deal. Obviously I keep the setup updated and do my best to keep bad actors out. but as I mentioned, breach for that one server would not be the end of the world.
With cgnat there's not much else to do than to run a VPN where server is somewhere publicly accessible and route traffic via that tunnel (obviously running a VPN-client on jellyfin-server or otherwise routing traffic to it via VPN). Any common VPN-server should do the trick.
lime!
in reply to IsoKiero • • •dogs0n
in reply to lime! • • •As long as your jellyfin server is properly configured behind a reverse proxy, letting it be accessible publicly on the internet is fine.
Obviously everyone has their own threat model, but it's not that big of a threat in this case (personally I don't care).
KlavKalashj
in reply to dogs0n • • •dogs0n
in reply to KlavKalashj • • •The default configuration for Jellyfin is good. I mostly mean as long as you follow best practices in general you should be fine, eg:
jellyfin.org/docs/general/post…
A firewall is probably the most important, having your ssh port blocked in the firewall being second.
Reverse Proxy | Jellyfin
jellyfin.orgmic_check_one_two
in reply to dogs0n • • •Also, don’t use the default “data/media/{library name}” (or whatever the suggested format is) folder setup that the Trash Guide has you set up. At least change the “tv”, “movies”, etc name to something different. Jellyfin has a known vulnerability where an attacker can get access to media without valid credentials if they already know the file path. Jellyfin devs have stated that they have no intention of ever fixing this, because it would require completely divesting from the Kodi branch that everything is built on. And since everyone follows the Trash Guide to set their *Arr stack and library up, guessing file paths is laughably easy.
You’re using the suggested file naming in your *Arr stack, so Jellyfin can automatically match media? Congrats, so is everyone else. You’re using the suggested folder layout so your *Arr stack can use hardlinks? Congrats, so is everyone else. At least change the library folder names. Since your library folder doesn’t need to match the name of your Jellyfin library, you can literally have your “tv”, “movies”, and other folders be named whatever you want. Hell, name your tv folder “peepee” and your movies folder “poopoo” for all I care.
Wolf314159
in reply to mic_check_one_two • • •planish
in reply to mic_check_one_two • • •Victor
in reply to planish • • •Victor
in reply to dogs0n • • •So like if I want to access my PC from outside, is it enough that I don't have a firewall installed but that I open up some random port and redirect it to my PC's port 22, and then connect to it via the random port?
Same thing for Jellyfin?
dogs0n
in reply to Victor • • •If you don't want to worry too much, you can setup a vpn (like wireguard) on your server for ssh access.
Using a non standard port is a good idea, but not entirely foolproof because bots might still port scan (even if unlikely that they do that for ssh I'm not sure). At a mininum, you probably want to use keys for login like the other commenter on the main comment said.
Personally, using a vpn for when I want access to SSH when I'm out is worth the couple hours setting it up the one time (very simple setup with wireguard-easy for example). Maintenence time spent on upgrading is very low.
(Tl;dr personally I'd use a vpn to access ssh specifically rather than exposing it to the internet)
Not 100% sure what you mean, but to clarify: Don't accidentally expose jellyfins port to the internet (eg the default port 8096). Make sure it is only accessible from outside your network through your reverse proxy.
Ricaz
in reply to dogs0n • • •This. People are overly paranoid nowadays.
I have had SSH open directly to my main PC for 15 years and never had any issues except spam logins. Just disallow password logins and you're fine.
Same with :443 to my nginx.
dogs0n
in reply to Ricaz • • •I agree, there is a lot of paranoia, but honestly that's probably a good thing, because the people who are paranoid might not know that much, so a good amount of paranoia is healthy there.
The chance of being exploited is very low for me to care too too much. Why spend countless days locking up my entire infra when there's a very low low chance anyone could exploit me in the first place (obviously get your setup to a good standard, I don't recommend not reading up on anything and exposing server, etc. Just for me, I don't need to over do it).
That being said, personally I have ssh behind a vpn because that's a very important service that only I am accessing anyways, so it makes sense for me to disable that attack vector.
fightforlife
in reply to lime! • • •An Idea I am also using for other things where I do not want to use a VPN:
1. Setup a reverse proxy (e.g. traefik)
2. Setup an oauth middleware for everything (forward Auth)
3. Create rules to exempt very specific request based on IP, headers, etc... from the middleware.
In the casting use case you have to find a request and check if there is any parameter that you can use to safely whitelist the request.
Ofcourse someone could get behind this and fake the request to match the whitelist. But without knowing that there is even a whitelist no one will really try
Appoxo
in reply to lime! • • •My workaround will be to get a Chromecast or anything castable, a travel router (probably gli.net), setup a VPN and use that.
Any other device that's outside of my home is unable to open a connection due to authelia intercepting the connection and the client unable to understand that.