24/12/2006 at 10:44 PM #923
Can be done rather simple now thanks to the fact that neither the roku nor the firefly server deliberatly limit it, though 1-2 smaller issues remain.
Heres a descriptio of how I did it – posted in rokus forum as it belongs a bit more there:25/12/2006 at 1:40 PM #8117
Well, “no more need for tunnels or VPN” is a bit misleading. Just sharing your music collection through an open port without any VPN so that anyone could access it would probably make you quite liable under a bunch of copyright laws 😉
Not sure where your problem regarding the password lies, but have you tried to proxy the share as a daap share instead? When I was using Howl quite some time ago, I had _daap._tcp instead of _rsp._tcp in my config file.25/12/2006 at 4:34 PM #8118
the password problem is solved btw. The problem was that if you once access a library that has no password set then the rokus remember the no password and dont ask for one even if later one is set. It just fails then. Nasty. It should ask for a password then but doesnt.
You need to factoryreset/unpower it then it forgets the bogus empty password and connect works and asks for the remote password again. Once the pw entered it will keep it and access also a password protected remote library without always reentering the pw then. Nice.
This is then also no issue under any copyright laws any more. No matter how weak your password is its not publically shared then.
Though most people anyway dont care about copyright issues IMHO.
Plus remote streaming of RSP streams isnt done so frequently yet so its not likely someone notices the open port anyway.
Sharing a _daap._tcp. does btw NOT work for Pinnacle sold rokus as they have no Apple license for DAAP. Plus even if your roku is a USA brand one you wont want to use daap I think. Its slower in my experience. I could notice a ca. 2x speedup in remote browsing (ok only subjective feeling not measured) using the rsp service over the daap one so I guess that is best anyway.
I definitly think this method is way easier and faster than running VPN networks. Simply much less to install and setup on the client side and remote side. If rokulabs incorporate some auto discovery IP in their firmware then it would even be noob safe. But its getting quite noob safe already now I guess – thanks to roku and firefly not implementing any burdens (unlike iTunes).26/12/2006 at 1:06 PM #8119
No issue any more? No matter how weak a password is? In which country do you exactly live? Russia? 😀
“Ignore is no excuse” as it says. All over the democratic world, you’ll either get a judge who judges based upon precedence, in which case even WEP isn’t safe enough, so a weak plaintext password is surely much less, or upon logic and common knowledge, in which case it should be common knowledge enough that a weak plain password is not enough either.
And it’s not likely someonce notices? Haven’t you read the news about copyright agencies hunting file sharers? If I would work for those, a portscan on 3689 would have been one of the first things implemented really, since it’s virtually no work with all the tools existing, and nearly every hit would be a gold mine since the number of songs shared would be way above any limit the courts have set to reduce the number of filings against smalltime sharers.
Not using a VPN tunnel would be judged as “wantonly negligent” in front of most courts, so I find your recommendation that this wouldn’t be necessary quite dangerous and misleading.
To the daap vs rsp topic: haven’t tried with my Pinnacle M1001, but if it is like you described, it’s good you found the problem 😉26/12/2006 at 4:30 PM #8120
Well I live in a country where you need to be proven guilty, not the other way round. Dunno if that applies to Russia. My harddrive is fullcrypted with AES-256 and the internet access shared over several users. Theres no way to prove who did what. Not even if they taped the internet provider. But thats offtopic anyway here and is done so for other reasons (hehe no I am no terrorist lol). Here the discussion is how to reasonably use such a remote share, to which I wanted to contribute as I am one of these restless souls not always staying at the same place.
Either way, most courts or judges would need an external specialist to tell em what VNC means or how to even spell it. LOL* Most people are no network experts. And you dont have to lecture me over WEP. I dont use it any more, but as long as there is no law to actually use WPA I may even choose to use no encryption at all. An internet connection is still no weapon that one has to lock away. At least not here. Theres anonymous cybercafees here! Really!
Just like a telephone. I only have to pay the connection fees but there we have flatrates fortunately. If someone uses my phone to call 911 and talk crap there then this may be inconvenient for me to answer the questions – but you have not comitted a crime and unless someone can prove you made the call you wont be prosecuted.
Besides if you set a password and DONT give it willingly to anyone then whoever manages to access your data is committing a rather serious crime in the USA, I understand. That also sort of indicates that you cant really be held liable for such a criminal act then. And if the IFPI scans for port 3689 (unlikely DAAP is NO filesharing utility) then they get a password prompt and have to break laws to get further – if they manage to break in. Unlikely they would do that and admit it later in a court?
But well, as stated before I dont care overly much about such legal rubble, as long as things work neatly. I am pragmatic to the bone.
I of course want some security for such a share but am not overly frightened otherwise.
Hence my request to look a bit into security features for this server and my post of how to easiest run a remote share for ones own use.
And yes I am listening to my own password protected share right now. This second. Try to break in and post what security flaws you found if you like…26/12/2006 at 6:01 PM #8121
Russia was just a side blow at allofmp3.com 😉
Inoccent until guilty – yes. But “wantonly negligent” means to be guilty of carelessness. E.g. sure you may choose to not use any WiFi protection at all. What will happen if someone misuses it is that you’ll get convicted for complicity – even though there’s no law that forces you to use WPA, the judge can and often will – without any specialist – just remember he read that WEP is unsafe in some tabloid and decide based on that. Happened just a few months ago in Hamburg (Germany), for example. It was actually very similar to your telephone example – they tried to defend themselves by saying that someone misused their Internet through their open wireless to share files – still their fault! And I remember reading about similar verdicts in some U.S. states.
Even with the 911 call its not that simple. If you would’ve been there while he talked, you would’ve been a accomplice if you hadn’t tried to stop him. If you wouldn’t have been there, you either let your door unlocked (which would be wantonly negligent in most rural areas – again partly your fault), or he broke in, in which case you’re quie clearly the victim I’ve got to admit 😀
Whenever I look at the coffee cup from my last trip to the U.S. I have to think about this million dollar “Contents may be hot” verdict – based on that, it seems that if you do not write “Do not misuse for 911 calls” on your phone, you’re responsible 😀 And similar warnings, for stuff we would regard as common knowledge in Europe, is something I find on really a lot of U.S. stuff 😉
Ok, so there are tools out there that let you download all files from a DAAP share. Which leaves than weak password – a dictionary attack should suffice for a weak one I would assume. Sure, no one would admit to have broken in, that’s quite right. But do you have that much trust in the system? An attorney can make a few thousand bucks just on the cease & decist. All he’s got to do is use an anonymous remailer (or cybercaffee as you mentioned 😉 ) and “you’ve been sharing”… sure that’s not legal, but how do you try to tell the judge that it wasn’t you who posted that? And why should it be unlikely? It’s possible for others to download files through it, and let’s be honest, many attorneys who’re looking for violators – employed by the music industry or their own, NOT by the law – take everything they can.
I believed in the law myself at some point. Before I lost 3 or 4 times in court because of judges who live on their golf court and want to get there asap, but have no idea about technology. Quite a difference between being on the “good” side and getting that acknowledged by a court. Sad but true, and this includes the U.S. 😉 Bad experience has destroyed any pragmatism there 😀
Btw, without having your IP I wouldn’t attempt at doing so – too much work for me, the scenario above is for. Since I have some DAAP code lying around I wrote for browsing, a simple loop attempting a password list (you mentioned a weak password 😀 ) would be ready within minutes 😉 – for a given IP; I’m not going to spend a few hours port-scanning just to find any (surely not yours) open port 3689, since that part if proven 😉26/12/2006 at 11:16 PM #8122
Yeah, there is some legal risk connected to everything you do. Thats life. The “in court everything is possible and nothing 100% sure” effect is known in every law system. Thats not special in internet though. Dont invite trouble but also dont panick over nothing.
What one should keep pragmatically in mind is how big a risk is statistically. Theres a lot of media distortion (also a RDF – reality distorting field hehe, thats not unique to Apples boss) going on when it comes to internet and filesharing.
Theres a lot the music industry tries and there are some hundreds filesharers with legal trouble now. Hmm, given that millions and millions of people do it however the statistics dont paint a very troubling image. Only the media does. You may guess why. De facto any well informed netizen knows that filesharing is booming still. Much to the anger of the music industry.
Could that be because the risk to be run over by a truck is larger than getting trouble with the music industries lawyers? Well yes, the number of serious car accidents in america is in the 10ks. Yet people still use cars. Ouch. Terrorists are harmless compared to that. Another RDF. But thats offtopic.
Now lets look at this remote access to ones OWN music:
1. Whoever wants to make you trouble first has to find it. And no this is not what the lawyers of the music industry search for. There are millions of people participating in unsecured systems like bittorrent, emule etc where a lot of copyright abuse happens. This RSP is not meant to be used for illegal means and would be very inconvenient for that end. So why would one target something thats neither meant nor used for these means when other thngs are way easier to find?
2. It is secured by a password. Maybe not the most rock solid implementation but its a burden. You need to write a script and run it and hope my password is weak which you dont know. Or hack Rons implementation of the password challenge.
3. You need to break laws massively to create a scenario where you can legally attack me for this.
So put this together and ask yourself what the statistic risk is really. Ron is taking a way bigger risk by simply running these forums and writing this firefly server. He’s way more legally exposed here. So why is he still doing it?
In the end it comes down to my pragmatic point of view: I dont see whats wrong with listening to my music from a place other than my own castle called home. I dont share the thing to everyone. I password protect it and dont announce it publically. I keep an eye on my NSLU continuously so that it doesnt become spambot #2zillion. etc. pp.
So in the end the remaining risk I simply take with a shrug, despite beeing aware of it. And should I be extremely unlucky and your scenario comes through then I will swear and take it as a challenge to defend myself. 😎26/12/2006 at 11:37 PM #8123
To be honest, I don’t care a bit whether you get in trouble or not, since you seem to be aware of it 😀
But you named the important point – this is a public forum. You’ve got knowledge, and you spread it: you make a clear point by saying
With fireflymediaserver there is no need to run tunnels or VPN any more therefore.
And you don’t even mention the password protection anywhere (over there at the Roku forums). So that’s no longer just you – you recommend a way of doing things to others, giving you responsibility (actually the same one you mentioned as much bigger 😉 ).
Another example: I can keep my own PC clean of viruses without having an antivirus app installed, but I would never recommend this to anyone else.
Or I could look at the statistics and know that everyone gets about three break-ins in his live anyway, so I can just keep my doors unlocked – still wouldn’t recommend that to anyone else.
Ok, the chance in this case is arguable; if you’ve got some rare provider not much will come by; if you’ve got your PC connected to a university network though, especially to a students dormitory network, you’ll have up to a few dozen different attacks per day – some of those tools can be used by just about any script kiddy (and I’ve known enough fellow students who did let a multitude of scanners run 24/7 just for the fun of it)!
I work in the security sector, and at times I had to answer dozens of requests from people each day… all of the type: “but my friend told me I don’t need an antivirus/antimalware/firewall/vpn/whatever”.
Therefore: take whatever risk you want for yourself – but be careful about what advise you give others 😉27/12/2006 at 1:02 AM #8124
That saying that theres no need any more to use a tunnel or so was more from the technical side. You dont need to run a tunnel to get it to stream any more. Its easier this way and I pointed out how.
Cause I doubt most ppl have been using ssh-tunnels for the safety of it. At least not to get DAAP streaming remote. They most likely just wanted to get it going and ssh-tunnels can be a bit complicated.
But your right. I didnt mention password protecting it at all. Nor the opposite of course. I tested it very shortly without a password myself before I got it all going right though. Thats how I found glitch #1 that I mention. That I would not recommend running it without a password protection open goes without saying or? Or maybe not. Hehe.
Speaking of student dormitories. Thats a different world. I knew one (housing like 200 students) where someone dumped an old PC in the cellar. Someone else hooked it up to the internet and attached 2 cheap harddrives. The thing was running for years totally open and unsecured. Noone knew any more who put it down there. Fully accessible from the internet. Without any updates, passwords set to admin/admin and full off all the whole dormitory community wanted to share. If it was getting too full someone deleted something old. IMHO that thing was never hacked. Probably waaay to boring thing to do if its totally open anyway. I have no idea it still exists but I would not be surprised.
Amazing eh? I certainly found it interesting that this did work for years. And now if someone wants to duplicate that behaviour. be welcome but dont complain to me later hehe.
- The forum ‘General Discussion’ is closed to new topics and replies.