They had this same thing happen in 2022, too. "a third-party was able to access a limited subset of data that includes emails, usernames, and encrypted passwords"
Plex mysteriously began refusing remote connections, so I couldn't share with my friend outside my home LAN. Manually port forwarding didn't solve anything, and my firewall isn't the problem. That's as far as Plex help goes...
I went to Jellyfin (plus Tailscale VPN). Some things are really nice, but others... well, it's an open-source project, and people only fix what they see as broken. So, I've tried restarting, only to lose every single customization I did. It's not worth my time to fill out their tickets and play that lottery, so I just accept the UI issues.
Then, mysteriously, Jellyfin also quit broadcasting remotely. A month later, its server wasn't even visible on my own LAN to my TV.
So I uninstalled BOTH Plex and Jellyfin, and reinstalled both. Jellyfin still doesn't connect right. And Plex works... until suddenly it doesn't, and I have to cycle through Off/On with "Allow remote connections", until it works again, mysteriously.
PRO'S OF EACH:
Plex: Much better support in TV libraries. No need for a VPN. Simpler UI.
Jellyfin: Ability to create Collections, which are basically filter-defined libraries. Without rearranging any files, you can build a Collection of Star Wars movies, or all movies directed by Scorsese, or any arbitrary bunch of media files at all, really. Optionally, you can reduce your library clutter with these Collections: a library named Science Fiction can have all of your Star Wars movies listed as a single item (that Collection). Basically, sub-libraries, but they aren't restricted to one library's contents (Star Wars might contain a documentary on "The Making Of" that isn't actually stored in Science Fiction).
>- how easy is it to administer for clients outside of my network or possibly even outside my country?
Jellyfin is just the software, not a hosted solution. I use a simple server/seedbox, with sane configs (good providers have automated this), which results in a secure public-facing admin console with a username/password. They have basic user management features to include other users in your server.
> - how good is the app support? I transcode all of my media to AAC and h264 for compatibility
Jellyfin has a broad ecosystem of apps on a bunch of platforms, each with their pros and cons. I recommend poking around. When figuring my setup out, I downloaded 3 or 4 different Android apps to pick the one I liked (support for multiple servers which isn't a given in all the apps)
> -what about for streaming music? I really like Plex amp
IMO Plex has always been substandard here since they hoisted the music interface into the same one they use for everything else, so it's really lacking in filters/administration features I depend on. That said Jellyfin supports music and has the same simple feature set.
> - what do you like the most about jellyfin
It's free and untethered to a company's whims. It also does a lot less of the social/DVR stuff that I have no interest in.
>- what do you miss most about Plex?
Their app experience was a bit more premium, and their support for multiple servers is better than Jellyfin since they own the servers/hosting to do it. I also really used to enjoy the 'remote' functionality where I could skip episodes by clicking next on the Plex app in my phone. This hasn't worked for a few years for me despite heavy troubleshooting.
The official jellyfin android app also provides 'remote' functionality (skip episodes, browse library, change volume etc.). It works well for me most of the time, but occasionally it can't find the remote session until I restart the jellyfin instance.
> how easy is it to administer for clients outside of my network or possibly even outside my country?
You can run Jellyfin in any docker container. If you want to run it on a NAS in your home office and put it on the internet through ngrok or tailscale, you totally can. But you can host it pretty much wherever.
> how good is the app support? I transcode all of my media to AAC and h264 for compatibility
The official clients are just ok. They'll support all the file types you'd expect, but they're fairly slow and not great at streaming 4K. I pay for a client (Infuse Pro) that addresses a lot of those pain points, but it's been relatively poor at auto-detecting tv show metadata, so I'm still in the market for an app I'm happy with. Ideally an open source one.
> - what about for streaming music?
Technically works, but whether it's a good experience depends on the client you're using.
> - what do you like the most about jellyfin
Easy to set up. Great plugins for finding subtitles/artwork/metadata. Open source with good docs. Works with lots of clients. Easy to create and share accounts, and has fun features like synced remote viewing parties.
Not sure about jellyfin, but I really dig Emby. Just as convenient as Plex. I can't even remember why I switched to Emby over Plex, but I never looked back.
Emby performs better than Jellyfin IME, at least if you need it to work on older TVs. Though IDK if they still offer a lifetime (pay once) subscription.
- Not selling off my watching history to third parties. This is a privacy disaster still about to blow up. Expect holders of large plex libraries with pirated content to be lined up in court in the near future.
- Decentralized.
- Not parasiting on FOSS such as ffmpeg. Plex famously took everything from ffmpeg and gave nothing back, while making lots of money in the process.
I ran plex for years but gave up once they started tracking all activity.
Jellyfin is way to administer. Clients are rough and often crash. Influx is often the best choice for IOS but has its own... weird decisions on how to handle libraries.
The main thing I miss is being able to download transcoded media for mobile devices so I can watch on a plane.
I own the instance that's running on my own homeserver. It does what I want it to do. Stream my media for me, other directly in the same network, or transcodes when I'm away.
I don't understand. I run a Plex instance on my home server as well. Are you referring to jellyfin not needing a centralized Plex account? Or do most Plex users rely on a plex-provided server?
I have no idea how Plex runs their servers, but I've worked at companies where new systems are rolled out for new users/accounts, but old users/accounts are left on the "legacy" system (usually with the plan to migrate once the new system has been deployed and there is bandwidth available to handle the complexity of migrating users between systems). In particular, if you have a long-running service where some very old accounts might have special billing/pricing logic that you want to continue honoring but is difficult to implement in the new system, such a setup might make sense to continue long-term for a small subset of accounts.
Alternatively, maybe they mean that the limited subset of data was specifically the "email" and "password_hash" columns of the database ;P
Could be technically true in that they didn’t access every last bit of “user data” like support chat logs or whatever stored elsewhere, but they have phrased it that way to make it seem like less of a big deal. Just a guess.
It's easy to imagine Plex has some db sharding going on at their scale, or that they host in multiple geographic regions for regional compliance, or on multiple cloud providers.
> Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.
I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.
One of the aspects of MtGox's database leak that I found most fascinating to watch was the public effort to figure out users' passwords from the hashes. Checking common passwords, patterns, and people's public interests on Twitter was all shockingly effective.
It's technically true that all cryptography is just slowing things down, but we are talking about heat death of the universe lengths of time for most crypto algorithms.
*assuming quantum computing doesn't take off or a fundamental flaw isn't found in the crypto.
The weakpoint is, has, and will always be people. They're cryptographic hashes of people's chosen passwords. You aren't attacking hypothetical mathematical entropy, you're attacking human imagination and laziness.
It isn't academic either. I have broken tons of cryptographic hashes in my career. Most of my colleagues have too. From DES through bcrypt over tens of years. The cost/performance has slowed, but the techniques haven't changed one bit because PEOPLE haven't changed one bit.
Obviously nobody can crack a sha512 hash likely containing a randomly generated cryptographic number. But that's irrelevant, because we're discussing the Plex security incident where humans created passwords, and humans today, tomorrow, and ten years ago are just as incapable of creating good passwords.
So their claim that these hashes "cannot be read" is inaccurate. If you have a modest budget and want to target a handful of accounts, there are multiple CHEAP cloud services that will happily sell you compute to do so.
sha* is a horrible choice for storing passwords. It's intended use is for verifying data integrity.
You should be using the solutions readily available instead of trying to reinventing the wheel, or avoid this subject altogether if you can't be bothered to educate yourself as to why.
This has been a decades-long issue, and it blows my mind how people in IT still didn't get the memo.
Use argon2, scrypt or even bcrypt who all are designed for keeping passwords secure with regards to brute force cracking.
Maybe this is naive, but in a good crypto system, I would hope "when" is measured in millions or billions of years given current hardware capabilities.
If you have a long enough and random enough password, you're probably good. The trouble with short passwords is that there just aren't that many of them. An attacker can just compute the hash of all of them.
As long as the salt is secret from the attackers (which is not a given, of course), the length of the passwords shouldn't matter all too much; the input to the hash (i.e. password + hash) would still have enough entropy to not be brute-force-able.
If you have the hashed password, in most systems you have the salt. Salt+hash is for preventing the attackers from getting to try all your passwords in parallel.
Maybe this is what you're saying, I'm not sure - my understanding was that the salt prevents reused passwords from resulting in the same hash. So, if I use 'password' and you use 'password' the salt+hash will be different. That way attackers can't just hash all the common passwords once and immediately associate them with different accounts.
Yeah, exactly. Commonly, the salts are stored right next to the hashes in the DB, because they serve their purpose even if the attacker knows what the salts are. By using a different salt for every password, the attacker needs execute a full "guess, hash, compare, repeat" attack on each user, as opposed to "guess, hash, compare against all user passwords, repeat" on the entire database.
You can also have a system salt(s) that are not stored with the database, so that if someone accesses the database they have to guess password and two salts, one of which they hopefully do not have via the same penetration.
Not necessarily related, but I'll take the opportunity to share my dislike of this company. Like others, they built a loyal following around a set of features provided, no questions asked, to stream your content to your own devices.
Over the last couple of years, Plex has continued to strip functionality, add paywalls, make deals with publishing companies, and take other actions that firmly put them in the 'enshittifaction' phase. They've capitalized on the community that gave them their success, so I've cashed out as well.
At this point there is little need for those of us with some technical ability to use this software and all the bloat that comes with it. Jellyfin[1] is an excellent alternative that I've fully switched over to this last year. I will not let a company take ownership of my media library, ever.
I have a “lifetime pass”. I’ve noticed some of these “features” creeping into the ecosystem (bloat), but I haven’t actually seen any stripped functionality. For the most part, it works as advertised.
That being said, a lot of my mates are moving to Jellyfin. Nothing but good things from them.
For lifetime pass owners, I think you've dodged the features they've put paywalls up for. The big one is preventing free accounts from streaming to shared user libraries. So if you have your pass + 5 buddies sharing their plexes (and they don't have Plus), you cannot view their content I believe.
You first post said "built a loyal following around a set of features provided, no questions asked, to stream your content to your own devices" and now you're saying they removed the ability for people to share content with each other if they are not paying customers.
Hm, I too primarily have srt's. No idea why just says "failed to load" or somesuch and I haven't been arsed to figure out why when I can just hop over to Plex and watch.
That said, I've had a few HDR movies which Jellyfin handled a lot better, so it's a bit here and there.
As for skipping, I primarily skip backwards when I miss dialog (so much mumbling these days), or forward when it's a TV show which has segments I don't care too much about, like say some irrelevant love subplot.
What do you do? Separate file? Not sure if I've noticed a pattern other than "mostly doesn't work well".
> Skipping, do you mean skipping intros and such?
Sorry, I meant jumping back and forth. On Plex I can just press left/right arrows on the remote, and it jumps a few seconds. On Jellyfin I have to press ok/confirm to actually do the jump. Very annoying.
Changing files isn't really an option for me because my media stays in an off-site server and the mount point is readonly.
I'll setup jellyfin and see which titles I'm unable to add and try to collaborate on metadata. It's always important to favor opensource. I can always have both services running side by side.
Yes. This is the flaw in Jellyfin that makes it a non-starter for me. One time I spent like two hours updating all the metadata, and then some strangely worded button reset it all. Haven't used it since.
I haven't noticed this issue any more than Plex, seems to be more about having all the files in a clear folder for a show/season than the specific individual file names. But YMMV
I have been using Jellyfin for two years now.
I am yet another happy user with no issues. I am happy that all my data is secure and there is nothing shady to happen.
It was not surprising when Plex had a huge investment coming from VCs who might as well just be connected to the movie industry and Hollywood as a whole, when they committed the act of banning Hetzner and all of their data centers.
They also had slowly become just another low quality streaming service like Tubi or IMDb with really low quality content being pushed down onto the homepage and actually keeping your own media hidden somewhere in the submenus. With their updates they threw the entire UX upside down.
Plex has the most mature platform to be frank. But I am happy I jumped ship as soon as I saw their predatory practices. They are not going to stop.
You have to be a fool to use Plex, not only you are pirating, but also relying on a 3rd party company to handle your authentication. They already got hacked multiple times, only a matter of time till there is some copyright law enforcement event too.
If you really have to do it, use Emby or Jellyfin. At least those options are fully self hosted.
That said, I shouldn't be blinded by convenience. I hear jellyfin is a good alternative. Can someone share
- how easy is it to administer for clients outside of my network or possibly even outside my country?
- how good is the app support? I transcode all of my media to AAC and h264 for compatibility
-what about for streaming music? I really like Plex amp
- what do you like the most about jellyfin
- what do you miss most about Plex?
Thank you.
I went to Jellyfin (plus Tailscale VPN). Some things are really nice, but others... well, it's an open-source project, and people only fix what they see as broken. So, I've tried restarting, only to lose every single customization I did. It's not worth my time to fill out their tickets and play that lottery, so I just accept the UI issues.
Then, mysteriously, Jellyfin also quit broadcasting remotely. A month later, its server wasn't even visible on my own LAN to my TV.
So I uninstalled BOTH Plex and Jellyfin, and reinstalled both. Jellyfin still doesn't connect right. And Plex works... until suddenly it doesn't, and I have to cycle through Off/On with "Allow remote connections", until it works again, mysteriously.
PRO'S OF EACH:
Plex: Much better support in TV libraries. No need for a VPN. Simpler UI.
Jellyfin: Ability to create Collections, which are basically filter-defined libraries. Without rearranging any files, you can build a Collection of Star Wars movies, or all movies directed by Scorsese, or any arbitrary bunch of media files at all, really. Optionally, you can reduce your library clutter with these Collections: a library named Science Fiction can have all of your Star Wars movies listed as a single item (that Collection). Basically, sub-libraries, but they aren't restricted to one library's contents (Star Wars might contain a documentary on "The Making Of" that isn't actually stored in Science Fiction).
>- how easy is it to administer for clients outside of my network or possibly even outside my country?
Jellyfin is just the software, not a hosted solution. I use a simple server/seedbox, with sane configs (good providers have automated this), which results in a secure public-facing admin console with a username/password. They have basic user management features to include other users in your server.
> - how good is the app support? I transcode all of my media to AAC and h264 for compatibility
Jellyfin has a broad ecosystem of apps on a bunch of platforms, each with their pros and cons. I recommend poking around. When figuring my setup out, I downloaded 3 or 4 different Android apps to pick the one I liked (support for multiple servers which isn't a given in all the apps)
> -what about for streaming music? I really like Plex amp IMO Plex has always been substandard here since they hoisted the music interface into the same one they use for everything else, so it's really lacking in filters/administration features I depend on. That said Jellyfin supports music and has the same simple feature set.
> - what do you like the most about jellyfin
It's free and untethered to a company's whims. It also does a lot less of the social/DVR stuff that I have no interest in.
>- what do you miss most about Plex?
Their app experience was a bit more premium, and their support for multiple servers is better than Jellyfin since they own the servers/hosting to do it. I also really used to enjoy the 'remote' functionality where I could skip episodes by clicking next on the Plex app in my phone. This hasn't worked for a few years for me despite heavy troubleshooting.
You can run Jellyfin in any docker container. If you want to run it on a NAS in your home office and put it on the internet through ngrok or tailscale, you totally can. But you can host it pretty much wherever.
> how good is the app support? I transcode all of my media to AAC and h264 for compatibility
The official clients are just ok. They'll support all the file types you'd expect, but they're fairly slow and not great at streaming 4K. I pay for a client (Infuse Pro) that addresses a lot of those pain points, but it's been relatively poor at auto-detecting tv show metadata, so I'm still in the market for an app I'm happy with. Ideally an open source one.
> - what about for streaming music?
Technically works, but whether it's a good experience depends on the client you're using.
> - what do you like the most about jellyfin
Easy to set up. Great plugins for finding subtitles/artwork/metadata. Open source with good docs. Works with lots of clients. Easy to create and share accounts, and has fun features like synced remote viewing parties.
- what do you miss most about Plex?
The ads. jk never used it.
I think the final straw was Plex artificially blocking transcoding on Raspberry PI, even though it would work with a ton of work arounds.
- Not selling off my watching history to third parties. This is a privacy disaster still about to blow up. Expect holders of large plex libraries with pirated content to be lined up in court in the near future.
- Decentralized.
- Not parasiting on FOSS such as ffmpeg. Plex famously took everything from ffmpeg and gave nothing back, while making lots of money in the process.
Jellyfin is way to administer. Clients are rough and often crash. Influx is often the best choice for IOS but has its own... weird decisions on how to handle libraries.
The main thing I miss is being able to download transcoded media for mobile devices so I can watch on a plane.
- there are a variety of apps to choose from on ios/android, smart TVs might be limited or nonexistent (LG has a good one though)
- consider a separate dedicated tool for music, like Navidrome
- it's open source, its developers respect me and my users and do not abuse their access to them using dark patterns to extract revenue
- features that they have removed anyway (plugins, photo sync, plex cloud)
I own the instance that's running on my own homeserver. It does what I want it to do. Stream my media for me, other directly in the same network, or transcodes when I'm away.
How could only a subset be affected? Any architecture other than a "users" db table wouldn't make sense.
Alternatively, maybe they mean that the limited subset of data was specifically the "email" and "password_hash" columns of the database ;P
Plex Update: Notice of a potential security incident - https://news.ycombinator.com/item?id=45174684
I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.
I'll pay you $10k if you can crack this sha512 hash.
I'd offer a million, but I don't have that kind of money.
5a55b7b0e1f9452f925b1aa43cf148081da58c66c735961d9a7cb699b2fd5b08bee6b24ec47fce0b93ba49df83641a30c7843dece49e0a0db5a7c50901492fdd
It's technically true that all cryptography is just slowing things down, but we are talking about heat death of the universe lengths of time for most crypto algorithms.
*assuming quantum computing doesn't take off or a fundamental flaw isn't found in the crypto.
It isn't academic either. I have broken tons of cryptographic hashes in my career. Most of my colleagues have too. From DES through bcrypt over tens of years. The cost/performance has slowed, but the techniques haven't changed one bit because PEOPLE haven't changed one bit.
Obviously nobody can crack a sha512 hash likely containing a randomly generated cryptographic number. But that's irrelevant, because we're discussing the Plex security incident where humans created passwords, and humans today, tomorrow, and ten years ago are just as incapable of creating good passwords.
So their claim that these hashes "cannot be read" is inaccurate. If you have a modest budget and want to target a handful of accounts, there are multiple CHEAP cloud services that will happily sell you compute to do so.
The other 99.9% enjoy junk food, and don't use password generators.
You should be using the solutions readily available instead of trying to reinventing the wheel, or avoid this subject altogether if you can't be bothered to educate yourself as to why.
This has been a decades-long issue, and it blows my mind how people in IT still didn't get the memo.
Use argon2, scrypt or even bcrypt who all are designed for keeping passwords secure with regards to brute force cracking.
How much compute/gpu and hard dollars would hackers need in order to reverse engineers those stollen passwords?
So please explain your reply further. Also recall their claim for context of what I was replying to, and what you're here defending now.
If their claim is credible what I did and what you're reiterating wasn't possible.
Granted the suggested defaults for argon2 is like ~0.1 second per verification on a rather beefy CPU, in 17h that's about 620 000 guesses.
Your cheap compute would likely perform worse.
That is beyond improbable. You are making it up.
What’s the date of this release? There was a similar release a few months ago and I’m curious if I need to again reset my account.
Over the last couple of years, Plex has continued to strip functionality, add paywalls, make deals with publishing companies, and take other actions that firmly put them in the 'enshittifaction' phase. They've capitalized on the community that gave them their success, so I've cashed out as well.
At this point there is little need for those of us with some technical ability to use this software and all the bloat that comes with it. Jellyfin[1] is an excellent alternative that I've fully switched over to this last year. I will not let a company take ownership of my media library, ever.
[1] https://jellyfin.org/
That being said, a lot of my mates are moving to Jellyfin. Nothing but good things from them.
Plugins, the watch later list, the up next/playback queue, Plex Cloud/Cloud Sync, photo backup (this one hurt), privacy preferences were badly nerfed.
Those are just the ones I miss, I'm sure there are more (like the short lived arcade thing).
(We were begging for them to fix the functionality of watch together for almost 5 years)
First is subtitle support is quite limited in comparison. It fails more often than it works for me.
Second is the lack of skipping.
This is with the Android TV client, haven't really tried the others.
I always watch with subtitles, but haven't noticed worse support in jellyfin vs plex, really. Granted, I mostly use srt/ssa (text based subtitles).
> Second is the lack of skipping.
You just need to install the intro skipper plugin :)
https://github.com/intro-skipper/intro-skipper
That said, I've had a few HDR movies which Jellyfin handled a lot better, so it's a bit here and there.
As for skipping, I primarily skip backwards when I miss dialog (so much mumbling these days), or forward when it's a TV show which has segments I don't care too much about, like say some irrelevant love subplot.
Skipping, do you mean skipping intros and such? Or something else?
What do you do? Separate file? Not sure if I've noticed a pattern other than "mostly doesn't work well".
> Skipping, do you mean skipping intros and such?
Sorry, I meant jumping back and forth. On Plex I can just press left/right arrows on the remote, and it jumps a few seconds. On Jellyfin I have to press ok/confirm to actually do the jump. Very annoying.
Jellyfin somehow just works on all my devices.
This is the same deal with Plex tho, although I found plex internal metadata engine to auto-match better than jellyfin currently does.
You can help here though. Just come to https://www.themoviedb.org/ and help us add metadata.
I'll setup jellyfin and see which titles I'm unable to add and try to collaborate on metadata. It's always important to favor opensource. I can always have both services running side by side.
"Reset universal entropy"
Their metadata lookup is quite solid.
* they already have peer filename.nfo files with TVDB | IMDB | TMDB ID's
* not if they have scene standard names AND are not ambiguous media names (eg: Utopia - which of the 5 possible series do you mean?)
But these are issues all media libraries face.
Group series episodes in per series (or even per season) folders and include a tvshow.nfo file with any IDs.
eg:
is over kill for Media Watch https://www.themoviedb.org/tv/328-media-watchwhich just leaves the issue of TheMovieDB being weak on metadata for that series .. but can be completed from theTVDB https://www.thetvdb.com/series/media-watch
I don't want to need to have a centralized account to access my media library on my device.
I don't want to have to pay monthly to enable hardware transcoding.
It was not surprising when Plex had a huge investment coming from VCs who might as well just be connected to the movie industry and Hollywood as a whole, when they committed the act of banning Hetzner and all of their data centers.
They also had slowly become just another low quality streaming service like Tubi or IMDb with really low quality content being pushed down onto the homepage and actually keeping your own media hidden somewhere in the submenus. With their updates they threw the entire UX upside down.
Plex has the most mature platform to be frank. But I am happy I jumped ship as soon as I saw their predatory practices. They are not going to stop.
a) be running an ancient plex version, before they rolled all of that crap out.
b) edited your home screen to remove all of those "plex offers".
If you really have to do it, use Emby or Jellyfin. At least those options are fully self hosted.