Home of the Squeezebox™ & Transporter® network music players.
Page 3 of 6 FirstFirst 12345 ... LastLast
Results 21 to 30 of 56
  1. #21
    Senior Member
    Join Date
    Dec 2006
    Posts
    657
    I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

    I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.

  2. #22
    Senior Member Mnyb's Avatar
    Join Date
    Feb 2006
    Location
    Vństerňs Sweden
    Posts
    16,171
    Quote Originally Posted by SamS View Post
    I've been doing this for years (mainly for iPeng playback), with no ill effects. I was using strong password. However, reading the recommendations, I just turned it off. Exactly how is an plain-text password compromised in this scenario?

    I get the same functionality by installing the Plex iOS app, and my lifetime Plexpass subscription.
    Exactly as i says ,its sent as plain text from for example a browser on your phone to your server . To be intercepted by who knows.
    And the security in LMS is not the strongest kind anyhow...
    --------------------------------------------------------------------
    Main hifi: Touch + CIA PS +MeridianG68J MeridianHD621 MeridianG98DH 2 x MeridianDSP5200 MeridianDSP5200HC 2 xMeridianDSP3100 +Rel Stadium 3 sub.
    Bedroom/Office: Boom
    Kitchen: Touch + powered Fostex PM0.4
    Misc use: Radio (with battery)
    iPad1 with iPengHD & SqueezePad
    (spares Touch, SB3, reciever ,controller )
    server HP proliant micro server N36L with ClearOS Linux

    http://people.xiph.org/~xiphmont/demo/neil-young.html

  3. #23
    Senior Member
    Join Date
    Jun 2008
    Location
    Hildesheim, Germany
    Posts
    2,191

    Quick search for LMS

    Please do not ALL disable it, I need some bad examples for security awareness trainings. (Sorry, only kidding)

    Name:  LMS_Scan.JPG
Views: 575
Size:  39.3 KB
    2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490

    last.fm/user/jo-wie

  4. #24
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,805

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > Please do not ALL disable it, I need some bad examples for security
    > awareness trainings. (Sorry, only kidding)


    Are you searching for LMS? Ugh... that's even worse than Squeezebox...

    --

    Michael

  5. #25
    Senior Member
    Join Date
    Jun 2008
    Location
    Hildesheim, Germany
    Posts
    2,191
    Quote Originally Posted by mherger View Post
    > Please do not ALL disable it, I need some bad examples for security
    > awareness trainings. (Sorry, only kidding)


    Are you searching for LMS? Ugh... that's even worse than Squeezebox...

    --

    Michael
    The interesting point is, that I have the feeling that the number was falling the last months but now is raising again. I was really using it as bad example for trainings and so I had several times a look at. But maybe the search engine simply found more because it was scanning further areas.
    2 * Classic, 2 * Boom, piCorePlayer on Raspberry PI II B with HifiBerry attached to Objective 2 ( Head 'n' HiFi KIT) with Beyerdynamic DT880, LMS 7.9 on Odroid U3 with Max2Play, 500GB USB HD, controlled by Squeezepad or iPeng on iPad and Orange Squeezepad on Nexus 5x, CD -> FLAC = dbpoweramp, Router AVM Fritz 7490

    last.fm/user/jo-wie

  6. #26
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,805

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > The interesting point is, that I have the feeling that the number was
    > falling the last months but now is raising again.


    Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
    But numbers seemed to grow in the past weeks, and significantly dropped
    over the past few days (-15%).

    I was wondering how I should handle this situation. These users have a
    serious security issue they should know about. But am I allowed to
    "hack" their system in order to protect themselves from the bad hacker?

    --

    Michael

  7. #27
    Senior Member Jeff07971's Avatar
    Join Date
    Aug 2011
    Location
    London, England
    Posts
    877
    Quote Originally Posted by mherger View Post
    > The interesting point is, that I have the feeling that the number was
    > falling the last months but now is raising again.


    Interesting indeed: I've been monitoring "squeezebox" rather than LMS.
    But numbers seemed to grow in the past weeks, and significantly dropped
    over the past few days (-15%).

    I was wondering how I should handle this situation. These users have a
    serious security issue they should know about. But am I allowed to
    "hack" their system in order to protect themselves from the bad hacker?

    --

    Michael
    I'm afraid the simple answer is NO it would be extremely unwise !! If you "hacked" (not sure if thats even the right term as these systems are wide open) I'm very sure it would be seen as illeagal in many countries.

    A large and sticky warning on the home page of the forums would be wiser.

    Whilst the situation is quite serious I see noting that can really be done about it, if the "hacks" are just waking people up at obscene hours hopefully a message in the forums will get more attention.

    I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the list of open LMS's meaning people update (or is done automatically) so a software change may work to help.
    I was thinking that not responding (unless specifically allowed) to the router address (or gateway) may work. That way those that use VPN can turn it on but those who forward ports will have to come to the forum to ask why their forwarding no longer works.

    Edit: Nothing much can be done about the 7.7.5's

    Jeff
    Players: SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard
    Server: LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320
    Plugins: AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty
    Remotes: iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
    Music: 383GB,1346 albums with 18894 songs by 4501 artists mostly FLACs

    Want a webapp ? See http://forums.slimdevices.com/showth...Webapp-for-LMS

  8. #28
    Senior Member Jeff07971's Avatar
    Join Date
    Aug 2011
    Location
    London, England
    Posts
    877
    Hi Michael

    Another idea !

    Use a list generated by THAT search engine to grab a list of open LMS's and automatically sent a command to turn all player on and stream a file from Logitech saying something like "This system is compromised please see article on forum" repeatedly until stopped.

    This idea is more agressive and would need to be run by legal but may have a better effect

    Jeff
    Players: SliMP3,Squeezebox3 x3,Receiver,SqueezeLiteX,PiCorePlayer x3,Wandboard
    Server: LMS Version: Latest Nightly on Centos 7 VM on ESXi 6.5.0U1 on Dell T320
    Plugins: AutoRescan/BBCiPlayer/PowerSave/PowerSwitchIII/Squeezecloud/Spotty
    Remotes: iPeng9/Orangesqueeze/PC/Jivelite/SqueezeLiteX
    Music: 383GB,1346 albums with 18894 songs by 4501 artists mostly FLACs

    Want a webapp ? See http://forums.slimdevices.com/showth...Webapp-for-LMS

  9. #29
    Senior Member
    Join Date
    Apr 2005
    Location
    UK/London
    Posts
    758
    You could change LMS to require a password if the IP address is not local and have a maximum number of password attempts before suspending such access for X hours - and a setting to disable all of this for someone who really insists on taking the risk.
    At least those users who have auto-update enabled would have a bit better protection.

  10. #30
    Babelfish's Best Boy mherger's Avatar
    Join Date
    Apr 2005
    Location
    Switzerland
    Posts
    19,805

    IMPORTANT: Stop forwarding your LMS ports to theinternet!

    > A large and sticky warning on the home page of the forums would be
    > wiser.


    Unfortunately only a very small percentage of the SB community is
    regularly visiting these forums. Even I wouldn't get to see that message!

    > I note that there are a lot of v7.9.0 and more than a few v7.9.1 in the
    > list of open LMS's meaning people update (or is done automatically) so a
    > software change may work to help.


    Interesting. In my list there are far more 7.7.x installations than
    7.9.x. And many are really old, like 7.7.2/3.

    > Use a list generated by THAT search engine to grab a list of open LMS's
    > and automatically sent a command to turn all player on and stream a file
    > from Logitech saying something like "This system is compromised please
    > see article on forum" repeatedly until stopped.


    This is about as far as my "hacking" would go: interact with LMS.

    --

    Michael

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •