Pika

wireless power transmission efficiency of 20.8% from direct current to direct current over a distance of [328 feet] 100 meters

not bad considering wireless charging is only 70-80% efficiency and that’s not even a meter distance apart

I don’t think downplaying them is the way to go though, Some of these issues have been in existence since 2019.

Like I mentioned though, it does seem like its starting to be worked on, a few of them are in progress the one I really don’t like is #13991 which is a combination of:

• #13982 which allows for an alternative user to be able to interact with the client readonly as if they are another user as long as they have the user id and any valid auth token (which includes that current users auth token). original issue: #5210 2/10/2021; status: partially mitigated 5/11/24 with v10.9 which locked modifying data behind elevation but getting the data still is able to be done in select endpoints still
• and #13990 Which gives any user with standard login access(like say the common family tv’s account) the ability to access the getUser endpoint and retrieve said previous user id. In progress since 12/2/25 reported via the megathread creation 3/8/2021

For example I just made a user with no access period to any collection, just a login access and took the auth token for the user. I was able to grab every user on the servers ID including hidden and administrative users as well as users who don’t use jellyfin’s auth system, then couple that to see what the users login method was, when their last access was, what folders they were allowed to use[note these are represented as id’s the client can’t actually parse them so you need to traverse the api for it], how many max sessions they could have, etc. without actually having access or logging in as that user or even being an administrator. If you snag an admins userid it even gives you internal server data such as logging paths that the server uses on the dashboard, the transcode path, the metadata path, what networking settings the server is using such as trusted ip nets the port jellyfin is using by default your certificate file and password if configured[although password may be ommited/the field left blank i didn’t test internal certs]. From there you can even recurse through the folder UUID’s provided via “enabledfolders” and the other folder restrictions on the users endpoint and get the name of the folders which could leak personal information about the library or the user because the 403 request it returns leaks the name of the library as part of the error message. “username is not allowed to access Library name”

Thankfully it’s finally being worked on but, I do think it’s worth stating the timeframe on them and that those issues do still exist.

Just like I think it’s worth stating that media endpoints are still fully unauthenticated as well, so as long as you can guess the full file path, you can md5 it and get unauthenticated media paths, but that’s in progress as well, its just super slow because that breaks third party clients.

i feel like one issue is a bit of a downplay here, considering that it’s 12 different issues being shown as one mega issue. but yes that has most of them

But that’s also the most recent version of it. Some of those issues that they have listed there has had previous issues that were closed to be consolidated into that mega issue, which then was closed to be split into their own issues again.

I’m not using Plex, but I feel like I can answer my complaints about using jellyfin.

My biggest complaint is the lack of clients. It is such a pain in the butt to install jellyFin on all of my products.

My second complaint is the security design. They’ve had open issues about unauthenticated endpoints for three or four years now. And whenever the issue gets so old that it starts to look bad, they refactor the issue into a newer issue abd bury it in the sand.

For a while this was done under the guise of maintaining legacy client support, but just recently it looks like they’re starting to focus on more security, and I’ve noticed some of those security holes are being closed finally, but it’s a major concern for me that they’ve been open for as long as they have.

the word “Global” in “Global Domain Takedown” is doing a lot of heavy lifting here.

The only domains taken down are going to be registrars that either fall in US juristiction, or voluntarily take it down. A US court order has no teeth outside of the US. I expect they are right in their response “we’re chill, we’re used to it.”. The operators are clearly not concerned about it, because at the end of the day it holds no bearing outside of the US and there are always going to be domains that don’t care about a US court order.

This court order is going to have an uphill battle in getting non-us juristictions to want to comply as well. I expect that they will be forced to go through local courts for it, but even then it’s hit or miss whether a non-us court is going to care about a us companies damages.

This is a whole different argument that I never really mentioned, but that is correct. This is a federal tax, meaning it would stack on top of any type of state tax.

As much of a pain in the ass, that would be to implement, I agree. I do believe that vehicle weight has some contributing factors.

Plus, moving it to the odometer system would remove the necessity of having a privatized company manage it(hence lowering complexity and cost from that company) and it would then be run by a government service

I don’t think it would be all that much more effort, to be honest.

All states require vehicle registration and it would just be supplying the current odometer reading at point of annual registration, and comparing it to a list of mileages to determine cost.

Now don’t take me wrong, that list can be as simple a base amount divided by how many miles it did, or it could be as complicated as breaking down every model vehicle and having a different fee for every model.

Data storage wise, it’s just checking the previous odometer reading to the current odometer reading, both are still there. The difference is how much mileage you had.

human effort wise it’s just an extra box for the registration form

Honestly, there’s an argument that it would be easier to have that system than the current system that we have for gas tax. Since the gas tax system is required at every single pump out there every time you fill where the mile-based odometer reading would only be town offices/bmv as a yearly thing

Yeah, unfortunately most states don’t have a yearly inspection. There’s registration, but outside of the New England area and select western states, there’s no real inspection requirements.

It was really surreal going to Florida for the first time and seeing people driving around with bumpers hanging off their vehicle and seeing my aunt driving around with tires so bald that I was surprised it could grip the road

I didn’t realize there was states out there that didn’t require mileage on their registration. I’ve never been in one that didn’t. I know there was some that don’t require mileage if the vehicle’s older than 10 years old, but I didn’t realize there was some that just straight out didn’t.

regardless it’s a nuisance, if you’re still doing an annual registration, that system still works. You just supply your mileage when you register.

The proposed EV tax would require almost 20k miles a year in order to break even if you compared a 24 mile/g ICE vehicle. That’s what is stupid about the entire thing. there is a super obvious vendetta and it isn’t to supplement the tax system. How many people put 20k miles on their vehicle a year? I know I’m on the lower end, but I barely got 3k miles over the last 2 years because my car doesn’t have to leave my house much. Back when I had to commute 30 minutes 5 days a week for work, I would do maybe 10k per year. The 24m/g is a the low end as well. Most consumer ICE vehicles are even more fuel efficient than that, with the US national average according to the EPA being 27.1 miles per gallon across all manufacturers in 2023 and that raising to 28.1 by 2025.

With the national annual mileage average being at 13,474 miles (per the federal highway administration). Why should an EV be forced to pay a flat rate that is the equivalent of 22,907.6 miles for an ICE vehicle(assuming national averages). That’s nearly double the price of it’s ice counterpart which doesn’t use a flat rate.

If they were serious about this supplementing the system, it would be based off mileage, since all vehicles require yearly registration with mileage anyway. In my eyes this is clearly intended to push people away from EV’s.

depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.

edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!

I’m waiting for plex to announce that lifetime subscriptions don’t cover certain features like secure connect, and that those features will require an addon if enabled. The writing is on the wall.

I have to agree with this, I think they bet on more people subscribing as a result of their external connection subscription requirement, didn’t and are panicing because they don’t want to downscale enough to be able to be maintained.

the plex lifetime pass is a solid “stop beating him he’s already dead” scenario for me because I lost any interest in it like 4 price ups ago now.

I think that the OP(the article author) is not looking at this the right way. Like yea it sucks another exploit is found, but it’s not like if it wasn’t found it doesn’t exist.

I think its much better to have them published and fixed then to live in blissful ignorance when someone could be exploiting it in the wild.

I mean… For this to actually matter Sony would have to release a decent game for the exclustivity. The last decent one in my eyes was Ragnarok, and I never even finished it.

I have a PS5. It hasen’t been turned on in almost 2 years. I have no reason to. I won’t lose any sleep over this decision.

In some cases DD will refuse to cancel it, or makes it so complicated that the customer has to go through their bank instead for it. So it could be cases where the customer attempted it and was told to screw off, so therefore they just went through their bank for a chargeback instead.

DD would still attempt delivery on those orders, and then likely try to protest the chargeback as well saying the service was “eventually” rendered as food quality is on the food place and DD is just the transport.

I agree with you that he isn’t all he’s cracked up to be, but the post was meant to state facts given, and I don’t see how it effects or relates to what I said.

edit: to reiterate I don’t disagree with your comment, it’s just me pointing out if he’s a fraudster or not does nothing to the original claim, and adds a bias take to the comment where I’m attempting to remain impartial.

Yea, I intentionally restricted my post to the base tiers as gamepass has a similar schema since they both show similar featuresets at higher tiers.

I made a basic breakdown:

1. Basic
   • ps essentials: 11$/m
     • multiplayer
     • shareplay
     • save backups
     • discounts on store
     • monthly games selection valid for duration of subscription
   • gamepass essential: 10$/m
     • multiplayer
     • free game catalog: 123 [81 of which supported on Windows as well]
     • cloud gaming: 87
     • in game benefits in select first party games
     • rewards program
2. Mid Tier
   • PS Extra: 15$/m
     • previous tier
     • free game catalog: 409
     • ubisoft classics program: 59
   • Gamepass Premium: 15$/m
     • previous tier
     • free game catalog: 572 [395 of which is supported on windows]
     • cloud gaming: 412
     • First party games promised to be on game catalog within 1 year of release (Call of Duty Excluded)
     • semi-priority cloud play queue
     • 2x reward points
3. Best Tier
   • PS Premium: 18$/m
     • previous tier
     • classics catalog: 163
     • game trial catalog: 260
     • sony pictures catalog (a movie/media streaming service)
     • cloud streaming
   • Gamepass Ultimate: 23$/m
     • previous tier
     • free game catalog: 909 [587 of which are supported on windows]
     • cloud gaming: 555
     • day 1 first party releases on free game catalog (Call of Duty excluded)
     • Free EA Play: 182 games + select DLC
     • ubisoft classics: 120
     • fortnite crew
     • priority cloud gaming
     • 4x reward points

This was just a somewhat quick list of info found online when comparing the two. I can see each tier being useful to someone, but I personally find that Sonys offerings for PS+ don’t stack to Gamepass, and that’s from someone who has been loyal sony fan since the PS1.