I am a faithful Plex lifetime user and have never had problems.
That said, I shouldn't be blinded by convenience. I hear jellyfin is a good alternative. Can someone share
- how easy is it to administer for clients outside of my network or possibly even outside my country?
- how good is the app support? I transcode all of my media to AAC and h264 for compatibility
-what about for streaming music? I really like Plex amp
- what do you like the most about jellyfin
- what do you miss most about Plex?
Thank you.
meesles · 5h ago
I'll fill in what I can -
>- how easy is it to administer for clients outside of my network or possibly even outside my country?
Jellyfin is just the software, not a hosted solution. I use a simple server/seedbox, with sane configs (good providers have automated this), which results in a secure public-facing admin console with a username/password. They have basic user management features to include other users in your server.
> - how good is the app support? I transcode all of my media to AAC and h264 for compatibility
Jellyfin has a broad ecosystem of apps on a bunch of platforms, each with their pros and cons. I recommend poking around. When figuring my setup out, I downloaded 3 or 4 different Android apps to pick the one I liked (support for multiple servers which isn't a given in all the apps)
> -what about for streaming music? I really like Plex amp
IMO Plex has always been substandard here since they hoisted the music interface into the same one they use for everything else, so it's really lacking in filters/administration features I depend on. That said Jellyfin supports music and has the same simple feature set.
> - what do you like the most about jellyfin
It's free and untethered to a company's whims. It also does a lot less of the social/DVR stuff that I have no interest in.
>- what do you miss most about Plex?
Their app experience was a bit more premium, and their support for multiple servers is better than Jellyfin since they own the servers/hosting to do it. I also really used to enjoy the 'remote' functionality where I could skip episodes by clicking next on the Plex app in my phone. This hasn't worked for a few years for me despite heavy troubleshooting.
squishington · 4h ago
The official jellyfin android app also provides 'remote' functionality (skip episodes, browse library, change volume etc.). It works well for me most of the time, but occasionally it can't find the remote session until I restart the jellyfin instance.
seabass · 5h ago
> how easy is it to administer for clients outside of my network or possibly even outside my country?
You can run Jellyfin in any docker container. If you want to run it on a NAS in your home office and put it on the internet through ngrok or tailscale, you totally can. But you can host it pretty much wherever.
> how good is the app support? I transcode all of my media to AAC and h264 for compatibility
The official clients are just ok. They'll support all the file types you'd expect, but they're fairly slow and not great at streaming 4K. I pay for a client (Infuse Pro) that addresses a lot of those pain points, but it's been relatively poor at auto-detecting tv show metadata, so I'm still in the market for an app I'm happy with. Ideally an open source one.
> - what about for streaming music?
Technically works, but whether it's a good experience depends on the client you're using.
> - what do you like the most about jellyfin
Easy to set up. Great plugins for finding subtitles/artwork/metadata. Open source with good docs. Works with lots of clients. Easy to create and share accounts, and has fun features like synced remote viewing parties.
- what do you miss most about Plex?
The ads. jk never used it.
ktm5j · 5h ago
Not sure about jellyfin, but I really dig Emby. Just as convenient as Plex. I can't even remember why I switched to Emby over Plex, but I never looked back.
paulryanrogers · 5h ago
Emby performs better than Jellyfin IME, at least if you need it to work on older TVs. Though IDK if they still offer a lifetime (pay once) subscription.
platevoltage · 5h ago
I've been a paid user of Emby for years and it's been well worth it.
I think the final straw was Plex artificially blocking transcoding on Raspberry PI, even though it would work with a ton of work arounds.
unsnap_biceps · 5h ago
I ran plex for years but gave up once they started tracking all activity.
Jellyfin is way to administer. Clients are rough and often crash. Influx is often the best choice for IOS but has its own... weird decisions on how to handle libraries.
The main thing I miss is being able to download transcoded media for mobile devices so I can watch on a plane.
hamdingers · 5h ago
- just like any web service, reverse proxy with SSL, it has internal user management
- there are a variety of apps to choose from on ios/android, smart TVs might be limited or nonexistent (LG has a good one though)
- consider a separate dedicated tool for music, like Navidrome
- it's open source, its developers respect me and my users and do not abuse their access to them using dark patterns to extract revenue
- features that they have removed anyway (plugins, photo sync, plex cloud)
aaomidi · 5h ago
Plex works on chromecast etc, not for jellyfin
bingo-bongo · 2m ago
Huh? I’ve used jellyfin on my chromecast for years
benoau · 5h ago
Always disliked Plex for them imposing themselves as a middleman to using the software locally, which is ultimately the root cause for this incident.
imglorp · 5h ago
> An unauthorized third party accessed a limited subset of customer data from one of our databases
How could only a subset be affected? Any architecture other than a "users" db table wouldn't make sense.
nimih · 5h ago
I have no idea how Plex runs their servers, but I've worked at companies where new systems are rolled out for new users/accounts, but old users/accounts are left on the "legacy" system (usually with the plan to migrate once the new system has been deployed and there is bandwidth available to handle the complexity of migrating users between systems). In particular, if you have a long-running service where some very old accounts might have special billing/pricing logic that you want to continue honoring but is difficult to implement in the new system, such a setup might make sense to continue long-term for a small subset of accounts.
Alternatively, maybe they mean that the limited subset of data was specifically the "email" and "password_hash" columns of the database ;P
reassess_blind · 5h ago
Could be technically true in that they didn’t access every last bit of “user data” like support chat logs or whatever stored elsewhere, but they have phrased it that way to make it seem like less of a big deal. Just a guess.
supportengineer · 5h ago
Sharding the data across DB's, separate credentials for each DB.
kingnothing · 5h ago
It's easy to imagine Plex has some db sharding going on at their scale, or that they host in multiple geographic regions for regional compliance, or on multiple cloud providers.
reactordev · 5h ago
Rows 1-200,000 instead of 1-1,000,000 I would presume.
> Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party.
I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.
Urist-Green · 5h ago
One of the aspects of MtGox's database leak that I found most fascinating to watch was the public effort to figure out users' passwords from the hashes. Checking common passwords, patterns, and people's public interests on Twitter was all shockingly effective.
internetter · 29m ago
This sounds fascinating. Has there been any literature produced on this specific incident and unfolding attempts?
pixl97 · 5h ago
Technically you may have to burn more entropy than exists in the visible universe, so its a possible if in the case of the right hash and luck.
aeonik · 4h ago
This is misleading, if the password is a certain length, then it might as well be considered secure. You could safely release hashes.
I'll pay you $10k if you can crack this sha512 hash.
I'd offer a million, but I don't have that kind of money.
It's technically true that all cryptography is just slowing things down, but we are talking about heat death of the universe lengths of time for most crypto algorithms.
*assuming quantum computing doesn't take off or a fundamental flaw isn't found in the crypto.
Someone1234 · 1h ago
The weakpoint is, has, and will always be people. They're cryptographic hashes of people's chosen passwords. You aren't attacking hypothetical mathematical entropy, you're attacking human imagination and laziness.
It isn't academic either. I have broken tons of cryptographic hashes in my career. Most of my colleagues have too. From DES through bcrypt over tens of years. The cost/performance has slowed, but the techniques haven't changed one bit because PEOPLE haven't changed one bit.
Obviously nobody can crack a sha512 hash likely containing a randomly generated cryptographic number. But that's irrelevant, because we're discussing the Plex security incident where humans created passwords, and humans today, tomorrow, and ten years ago are just as incapable of creating good passwords.
So their claim that these hashes "cannot be read" is inaccurate. If you have a modest budget and want to target a handful of accounts, there are multiple CHEAP cloud services that will happily sell you compute to do so.
daveidol · 1h ago
Some humans use password generators though, so those should be safe
Dedime · 5h ago
Maybe this is naive, but in a good crypto system, I would hope "when" is measured in millions or billions of years given current hardware capabilities.
smallerize · 5h ago
If you have a long enough and random enough password, you're probably good. The trouble with short passwords is that there just aren't that many of them. An attacker can just compute the hash of all of them.
jcgl · 5h ago
As long as the salt is secret from the attackers (which is not a given, of course), the length of the passwords shouldn't matter all too much; the input to the hash (i.e. password + hash) would still have enough entropy to not be brute-force-able.
OkayPhysicist · 5h ago
If you have the hashed password, in most systems you have the salt. Salt+hash is for preventing the attackers from getting to try all your passwords in parallel.
solid_fuel · 4h ago
Maybe this is what you're saying, I'm not sure - my understanding was that the salt prevents reused passwords from resulting in the same hash. So, if I use 'password' and you use 'password' the salt+hash will be different. That way attackers can't just hash all the common passwords once and immediately associate them with different accounts.
fluidcruft · 4h ago
You can also have a system salt(s) that are not stored with the database, so that if someone accesses the database they have to guess password and two salts, one of which they hopefully do not have via the same penetration.
mr90210 · 5h ago
> (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if
How much compute/gpu and hard dollars would hackers need in order to reverse engineers those stollen passwords?
reactordev · 5h ago
They borrow unsecured k8s clusters on AWS. That’s not redis running…
kstrauser · 5h ago
Approximately “infinite”.
mvdtnz · 5h ago
For all practical purposes what you're saying is just wrong.
Someone1234 · 4h ago
I've done so within the last year, successfully. Cost $7 for a single password in just compute and took about 17 hours (lowest, cheapest priority).
So please explain your reply further. Also recall their claim for context of what I was replying to, and what you're here defending now.
If their claim is credible what I did and what you're reiterating wasn't possible.
mvdtnz · 4h ago
No you haven't, not for a reasonably strong password.
OptionOfT · 3h ago
What about the TOTP setup code? Has that one leaked? Is that recoverable?
bronco21016 · 6h ago
Edit: disregard. Just received the email.
What’s the date of this release? There was a similar release a few months ago and I’m curious if I need to again reset my account.
vladmk · 6h ago
unfortunately things like this happen a lot more than they should
meesles · 6h ago
Not necessarily related, but I'll take the opportunity to share my dislike of this company. Like others, they built a loyal following around a set of features provided, no questions asked, to stream your content to your own devices.
Over the last couple of years, Plex has continued to strip functionality, add paywalls, make deals with publishing companies, and take other actions that firmly put them in the 'enshittifaction' phase. They've capitalized on the community that gave them their success, so I've cashed out as well.
At this point there is little need for those of us with some technical ability to use this software and all the bloat that comes with it. Jellyfin[1] is an excellent alternative that I've fully switched over to this last year. I will not let a company take ownership of my media library, ever.
I have a “lifetime pass”. I’ve noticed some of these “features” creeping into the ecosystem (bloat), but I haven’t actually seen any stripped functionality. For the most part, it works as advertised.
That being said, a lot of my mates are moving to Jellyfin. Nothing but good things from them.
hamdingers · 5h ago
> but I haven’t actually seen any stripped functionality
Plugins, the watch later list, the up next/playback queue, Plex Cloud/Cloud Sync, photo backup (this one hurt), privacy preferences were badly nerfed.
Those are just the ones I miss, I'm sure there are more (like the short lived arcade thing).
(We were begging for them to fix the functionality of watch together for almost 5 years)
meesles · 5h ago
For lifetime pass owners, I think you've dodged the features they've put paywalls up for. The big one is preventing free accounts from streaming to shared user libraries. So if you have your pass + 5 buddies sharing their plexes (and they don't have Plus), you cannot view their content I believe.
blactuary · 4h ago
You first post said "built a loyal following around a set of features provided, no questions asked, to stream your content to your own devices" and now you're saying they removed the ability for people to share content with each other if they are not paying customers.
magicalhippo · 5h ago
I like Jellyfin, but I keep using Plex for two reasons.
First is subtitle support is quite limited in comparison. It fails more often than it works for me.
Second is the lack of skipping.
This is with the Android TV client, haven't really tried the others.
JamesSwift · 4h ago
Jellyfin clients are the weakest aspect imo. Sort of hit or miss, and the ios client is inferior to a 3rd party paid offering (infuse)
meesles · 5h ago
Fair, I handle subtitles in my ingestion pipeline and so those are ready to go by the time Jellyfin gets involved.
Skipping, do you mean skipping intros and such? Or something else?
magicalhippo · 5h ago
> I handle subtitles in my ingestion pipeline
What do you do? Separate file? Not sure if I've noticed a pattern other than "mostly doesn't work well".
> Skipping, do you mean skipping intros and such?
Sorry, I meant jumping back and forth. On Plex I can just press left/right arrows on the remote, and it jumps a few seconds. On Jellyfin I have to press ok/confirm to actually do the jump. Very annoying.
vachina · 5h ago
Some Plex clients will fail to direct stream DTS + PGS.
Jellyfin somehow just works on all my devices.
gchamonlive · 6h ago
Do I still need to mess with filenames in order to have jellyfin pick them up to create the library?
meesles · 5h ago
I haven't noticed this issue any more than Plex, seems to be more about having all the files in a clear folder for a show/season than the specific individual file names. But YMMV
vachina · 5h ago
If you categorize your libraries into their correct directories (i.e. TV into TV, movies into movies), then no.
Their metadata lookup is quite solid.
gchamonlive · 3h ago
Will give it a try, thanks
nick_ · 5h ago
Yes. This is the flaw in Jellyfin that makes it a non-starter for me. One time I spent like two hours updating all the metadata, and then some strangely worded button reset it all. Haven't used it since.
pixl97 · 5h ago
>then some strangely worded button reset it all
"Reset universal entropy"
defrost · 5h ago
Not if:
* they already have peer filename.nfo files with TVDB | IMDB | TMDB ID's
* not if they have scene standard names AND are not ambiguous media names (eg: Utopia - which of the 5 possible series do you mean?)
But these are issues all media libraries face.
Group series episodes in per series (or even per season) folders and include a tvshow.nfo file with any IDs.
Soemtimes I have needed to rename files, but to me it is both sensible (how else to recognize a show, maybe a metadata file) and totally worth it.
I don't want to need to have a centralized account to access my media library on my device.
I don't want to have to pay monthly to enable hardware transcoding.
gchamonlive · 5h ago
I can't because most of my media is in an off-site server and the mount point is readonly
vlovich123 · 5h ago
One thing I'll note is that while I've found every device surface I've come across has a Plex app, that isn't true of Jellyfin. YMMV.
vachina · 6h ago
They removed mobile device playback rights from users who paid for this feature specifically. Nobody in their right mind will do business with Plex.
princevegeta89 · 5h ago
I have been using Jellyfin for two years now.
I am yet another happy user with no issues. I am happy that all my data is secure and there is nothing shady to happen.
It was not surprising when Plex had a huge investment coming from VCs who might as well just be connected to the movie industry and Hollywood as a whole, when they committed the act of banning Hetzner and all of their data centers.
They also had slowly become just another low quality streaming service like Tubi or IMDb with really low quality content being pushed down onto the homepage and actually keeping your own media hidden somewhere in the submenus. With their updates they threw the entire UX upside down.
Plex has the most mature platform to be frank. But I am happy I jumped ship as soon as I saw their predatory practices. They are not going to stop.
blactuary · 4h ago
I have never had any of their streaming content pushed onto my homepage nor had my own media hidden in submenus. I don't see anything but my own media
draxter65 · 5h ago
You have to be a fool to use Plex, not only you are pirating, but also relying on a 3rd party company to handle your authentication. They already got hacked multiple times, only a matter of time till there is some copyright law enforcement event too.
If you really have to do it, use Emby or Jellyfin. At least those options are fully self hosted.
paulryanrogers · 4h ago
Plex has their own streaming-with-ads. And one can load it with whatever you want, including home movies or DVD backups.
That said, I shouldn't be blinded by convenience. I hear jellyfin is a good alternative. Can someone share
- how easy is it to administer for clients outside of my network or possibly even outside my country?
- how good is the app support? I transcode all of my media to AAC and h264 for compatibility
-what about for streaming music? I really like Plex amp
- what do you like the most about jellyfin
- what do you miss most about Plex?
Thank you.
>- how easy is it to administer for clients outside of my network or possibly even outside my country?
Jellyfin is just the software, not a hosted solution. I use a simple server/seedbox, with sane configs (good providers have automated this), which results in a secure public-facing admin console with a username/password. They have basic user management features to include other users in your server.
> - how good is the app support? I transcode all of my media to AAC and h264 for compatibility
Jellyfin has a broad ecosystem of apps on a bunch of platforms, each with their pros and cons. I recommend poking around. When figuring my setup out, I downloaded 3 or 4 different Android apps to pick the one I liked (support for multiple servers which isn't a given in all the apps)
> -what about for streaming music? I really like Plex amp IMO Plex has always been substandard here since they hoisted the music interface into the same one they use for everything else, so it's really lacking in filters/administration features I depend on. That said Jellyfin supports music and has the same simple feature set.
> - what do you like the most about jellyfin
It's free and untethered to a company's whims. It also does a lot less of the social/DVR stuff that I have no interest in.
>- what do you miss most about Plex?
Their app experience was a bit more premium, and their support for multiple servers is better than Jellyfin since they own the servers/hosting to do it. I also really used to enjoy the 'remote' functionality where I could skip episodes by clicking next on the Plex app in my phone. This hasn't worked for a few years for me despite heavy troubleshooting.
You can run Jellyfin in any docker container. If you want to run it on a NAS in your home office and put it on the internet through ngrok or tailscale, you totally can. But you can host it pretty much wherever.
> how good is the app support? I transcode all of my media to AAC and h264 for compatibility
The official clients are just ok. They'll support all the file types you'd expect, but they're fairly slow and not great at streaming 4K. I pay for a client (Infuse Pro) that addresses a lot of those pain points, but it's been relatively poor at auto-detecting tv show metadata, so I'm still in the market for an app I'm happy with. Ideally an open source one.
> - what about for streaming music?
Technically works, but whether it's a good experience depends on the client you're using.
> - what do you like the most about jellyfin
Easy to set up. Great plugins for finding subtitles/artwork/metadata. Open source with good docs. Works with lots of clients. Easy to create and share accounts, and has fun features like synced remote viewing parties.
- what do you miss most about Plex?
The ads. jk never used it.
I think the final straw was Plex artificially blocking transcoding on Raspberry PI, even though it would work with a ton of work arounds.
Jellyfin is way to administer. Clients are rough and often crash. Influx is often the best choice for IOS but has its own... weird decisions on how to handle libraries.
The main thing I miss is being able to download transcoded media for mobile devices so I can watch on a plane.
- there are a variety of apps to choose from on ios/android, smart TVs might be limited or nonexistent (LG has a good one though)
- consider a separate dedicated tool for music, like Navidrome
- it's open source, its developers respect me and my users and do not abuse their access to them using dark patterns to extract revenue
- features that they have removed anyway (plugins, photo sync, plex cloud)
How could only a subset be affected? Any architecture other than a "users" db table wouldn't make sense.
Alternatively, maybe they mean that the limited subset of data was specifically the "email" and "password_hash" columns of the database ;P
Plex Update: Notice of a potential security incident - https://news.ycombinator.com/item?id=45174684
I am glad they were hashed, but that's a misleading statement. The point of hashing is to slow an attacker down, even with full best security practices (e.g. salt + pepper + argon2 w/high factors) they can still be reverse engineered. It is a matter of when, not if.
I'll pay you $10k if you can crack this sha512 hash.
I'd offer a million, but I don't have that kind of money.
5a55b7b0e1f9452f925b1aa43cf148081da58c66c735961d9a7cb699b2fd5b08bee6b24ec47fce0b93ba49df83641a30c7843dece49e0a0db5a7c50901492fdd
It's technically true that all cryptography is just slowing things down, but we are talking about heat death of the universe lengths of time for most crypto algorithms.
*assuming quantum computing doesn't take off or a fundamental flaw isn't found in the crypto.
It isn't academic either. I have broken tons of cryptographic hashes in my career. Most of my colleagues have too. From DES through bcrypt over tens of years. The cost/performance has slowed, but the techniques haven't changed one bit because PEOPLE haven't changed one bit.
Obviously nobody can crack a sha512 hash likely containing a randomly generated cryptographic number. But that's irrelevant, because we're discussing the Plex security incident where humans created passwords, and humans today, tomorrow, and ten years ago are just as incapable of creating good passwords.
So their claim that these hashes "cannot be read" is inaccurate. If you have a modest budget and want to target a handful of accounts, there are multiple CHEAP cloud services that will happily sell you compute to do so.
How much compute/gpu and hard dollars would hackers need in order to reverse engineers those stollen passwords?
So please explain your reply further. Also recall their claim for context of what I was replying to, and what you're here defending now.
If their claim is credible what I did and what you're reiterating wasn't possible.
What’s the date of this release? There was a similar release a few months ago and I’m curious if I need to again reset my account.
Over the last couple of years, Plex has continued to strip functionality, add paywalls, make deals with publishing companies, and take other actions that firmly put them in the 'enshittifaction' phase. They've capitalized on the community that gave them their success, so I've cashed out as well.
At this point there is little need for those of us with some technical ability to use this software and all the bloat that comes with it. Jellyfin[1] is an excellent alternative that I've fully switched over to this last year. I will not let a company take ownership of my media library, ever.
[1] https://jellyfin.org/
That being said, a lot of my mates are moving to Jellyfin. Nothing but good things from them.
Plugins, the watch later list, the up next/playback queue, Plex Cloud/Cloud Sync, photo backup (this one hurt), privacy preferences were badly nerfed.
Those are just the ones I miss, I'm sure there are more (like the short lived arcade thing).
(We were begging for them to fix the functionality of watch together for almost 5 years)
First is subtitle support is quite limited in comparison. It fails more often than it works for me.
Second is the lack of skipping.
This is with the Android TV client, haven't really tried the others.
Skipping, do you mean skipping intros and such? Or something else?
What do you do? Separate file? Not sure if I've noticed a pattern other than "mostly doesn't work well".
> Skipping, do you mean skipping intros and such?
Sorry, I meant jumping back and forth. On Plex I can just press left/right arrows on the remote, and it jumps a few seconds. On Jellyfin I have to press ok/confirm to actually do the jump. Very annoying.
Jellyfin somehow just works on all my devices.
Their metadata lookup is quite solid.
"Reset universal entropy"
* they already have peer filename.nfo files with TVDB | IMDB | TMDB ID's
* not if they have scene standard names AND are not ambiguous media names (eg: Utopia - which of the 5 possible series do you mean?)
But these are issues all media libraries face.
Group series episodes in per series (or even per season) folders and include a tvshow.nfo file with any IDs.
eg:
is over kill for Media Watch https://www.themoviedb.org/tv/328-media-watchwhich just leaves the issue of TheMovieDB being weak on metadata for that series .. but can be completed from theTVDB https://www.thetvdb.com/series/media-watch
I don't want to need to have a centralized account to access my media library on my device.
I don't want to have to pay monthly to enable hardware transcoding.
It was not surprising when Plex had a huge investment coming from VCs who might as well just be connected to the movie industry and Hollywood as a whole, when they committed the act of banning Hetzner and all of their data centers.
They also had slowly become just another low quality streaming service like Tubi or IMDb with really low quality content being pushed down onto the homepage and actually keeping your own media hidden somewhere in the submenus. With their updates they threw the entire UX upside down.
Plex has the most mature platform to be frank. But I am happy I jumped ship as soon as I saw their predatory practices. They are not going to stop.
If you really have to do it, use Emby or Jellyfin. At least those options are fully self hosted.