Once I saw Plex required an account even to self-host, it was a no-go for me. Stuff like this is why. (among other reasons, like "why should I go through a 3rd party for something I'm 100% hosting on my own hardware/network")
I switched to Jellyfin last year and never looked back. The only thing I find lacking is the Apple TV App, I tried Swiftfin but it stutters the whole time when playing high quality UHD content. I tried Infuse and it works much better
I am a huge Plex power user; watching something at least once a day.
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
Live TV is magical when you set up ErsatzTV and self-host that part as well. You can make channels out of anything. The modes of "I want to watch this specific thing now" and "I want to see what's 'on' right now and pick something to put on in the background" are very different and complementary. I end up relying on the latter more than the former.
Good news! You can whitelist exceptions by IP/subnet
Go into Plex Settings, then Settings > Network (show advanced). Scroll down to "List of IP addresses and networks that are allowed without auth"
"Comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."
Put your local subnet and netmask into that (e.g. "192.168.1.1/255.255.255.0") and you should be all good
FYI, I also have "Secure Connections" set to "Preferred", but I don't know if that makes a difference for this or not
PSA: If you are the owner of your Plex server and follow the _Sign out connected devices after password change- as they suggest, your server claim will also be expired.
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
Yep, this was a huge hassle for me, I didn't realize it would happen!
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
I appreciate the transparency, but the phrase securely hashed always makes me a little nervous. It's a huge spectrum, right? We talking bcrypt/scrypt with a proper salt, or something from the old days?
When they got hacked three years ago the notice included this:
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
On a related note; if you're still considering whether you should put passwords, or rather, hashes thereof—in your application database of choice—please, decide against doing so at all costs! Instead, you should probably use a dedicated secret management deployment: think Hashicorp Vault[1], OpenBao[2], or Keto[3] if you'd like to go beyond with ReBAC (Relationship-based access control) of Google's Zanzibar[4] fame. The benefits of a HA deployment like this far outweigh the upstart integration costs as you get to use a single, shared frame of reference to reason about your internal and external resources alike. Customer passwords, passkeys, certificates, internal CA, ACME, at-rest, in-transit, what have you, is controlled from a single point of consumption with one policy space to rule them all. It helps to use dedicated HSM capability, too. In cloud environments, AWS Nitro enclaves exist now; you could put something like Vault inside one[5].
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
I can only comment that their communication on the incident is lacking, I've read about the incident yesterday and only today I received the relevant email. On top, it seems that all of a sudden I started getting marketing emails from them although I had unsubscribred in the past, coincidence?
I made an account there to use my Home Assistant as a media server and it's already the second time they reported that they messed up something. I heard you can install VLC on the Apple TV and stream through that, so I'll definitely do that and skip these weird middle companies.
Why not use Jellyfin then? It's basically an open source alternative to Plex. You run Jellyfin on your server and in Apple TV use Swiftin (Jellyfin + Swift) for integration.
Anyone remember a few years back there was a major Lastpass data breach?
I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.
Readit News
I've been very happy with Jellyfin FWIW :)
Unfortunately, Plex is a bit of a mess these days - constantly pushing Live TV on us, requiring internet access to access local media (this is a killer whenever internet goes down), overly complex, clunky remote access (altho this is much better these days). But it still isn't bad enough to make me try and migrate. I love my local setup (Sonarr and a custom app for movies as Radarr is OTT for the amount of movies we watch) and Plex is very polished (compared to the alternatives) but I do wonder how much longer it will be around.
Good news! You can whitelist exceptions by IP/subnet
Go into Plex Settings, then Settings > Network (show advanced). Scroll down to "List of IP addresses and networks that are allowed without auth"
"Comma separated list of IP addresses or IP/netmask entries for networks that are allowed to access Plex Media Server without logging in. When the server is signed out and this value is set, only localhost and addresses on this list will be allowed."
Put your local subnet and netmask into that (e.g. "192.168.1.1/255.255.255.0") and you should be all good
FYI, I also have "Secure Connections" set to "Preferred", but I don't know if that makes a difference for this or not
Easy way for me to turn my brain off and find a good documentary/educational show at the end of the day
So you'll have to get a new claim from https://www.plex.tv/claim and set it on your server; through the PLEX_CLAIM env var if your setup involves Docker.
They talk vaguely about it under _Common Issues_ but it wasn't on the original email, so I lost 15 minutes of my day because of this...
Another option is to do `ssh -L 32400:localhost:32400 <your-plex-address>` and connect to http://localhost:32400/web, it will let you claim the server as it detects the connection being local.
> Even though all account passwords that could have been accessed were hashed (with bcrypt plus salted and peppered) and secured in accordance with best practices, out of an abundance of caution we are requiring all Plex accounts to have their password reset.
Whether that later changed for the worse is anyone's guess.
Vault is more or less Old Testament, though, so if you're serious about zero trust, Zanzibar paper is a must-read!
Relationships lend nicely to AI agent stuff, where RBAC is putting you at a disadvantage. It's hard to express both direct and indirect access patterns in RBAC. For example, whenever agents would act on your, or your user's behalf within a clearly-defined scope (sic!) This is where traditional RBAC breaks down, whilst ReBAC really shines for expressing relationships between user/agent/system identities, thus greatly simplifying checking, scoping, audit.
[1]: https://developer.hashicorp.com/vault
[2]: https://openbao.org/
[3]: https://www.ory.sh/keto
[4]: https://research.google/pubs/zanzibar-googles-consistent-glo...
[5]: https://edgebit.io/enclaver/docs/0.x/guide-vault/
I roughly recall Plex is somewhat involved in the compromise. One of the Lastpass employees compromised via Plex that leads to Lastpass data breach if I'm not mistaken.