I was just setting up remote runners for TankieTube when I had an epiphany:

I could ask comrades to volunteer their own computers! quagsire-pog

That way those who can’t or don’t care to donate monetarily could still contribute.


How would it work?

Conceptually, you can think of it like a crypto mining botnet. Except it transcodes videos for the community instead of producing heat for individual profit. And it’s voluntary ofc.

It can run on any operating system with an internet connection. I’m going to use my gaming desktop and at least one VPS.


Tech level required: comfortable copy-and-pasting things into a CLI.

OpSec considerations: negligable as far as I can tell. There is no P2P involved. Your computer talks directly to the TankieTube server using sicko-to-HTTPS communication. The server would see your IP address, but that’s always the case on every website.


Thoughts?

  • TankieTanuki [he/him]@hexbear.netOP
    link
    fedilink
    English
    arrow-up
    16
    ·
    edit-2
    3 months ago

    Yeah, I use a designated user prunner like the docs suggested.

    Is ffmpeg really that much of a security concern?

    making their personal computers vulnerable to attack via manipulated video files

    Is this any more dangerous than BitTorrenting anime? All the video files would be coming from https://tankie.tube only.

      • PorkrollPosadist [he/him, they/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        3 months ago

        I think it is worth further research, at least. Setting aside potential exploits in ffmpeg, containerization (if not virtualization) seems necessary. A process running as root in a Docker container effectively has root access to the host, but a properly designed container should run all the work as non-privileged users. This work can be isolated using the cgroups APIs (docker should manage this, I think) and potentially reinforced with SELinux policies. Done correctly, this would effectively limit the impact of remote code execution in ffmpeg to denial of service. The attack surface for privilege escalation would then be limited to the Linux syscall API, utilities with the setuid flag, etc (highly, highly audited stuff that would allow you to root any machine if it were broken).

        Alternately, it might be worth looking at bubblewrap, which is the basis of FlatPak containerization.

      • TankieTanuki [he/him]@hexbear.netOP
        link
        fedilink
        English
        arrow-up
        4
        ·
        3 months ago

        What is the threat model? The TankieTube server sends a malicious MP4 to the remote runner machine? Or a malicious remote runner sends a malicious MP4 to the server?

        The former is easy to avoid by me not being evil. The latter is only a security concern for the TankieTube server, not the contributors.

    • trompete [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      10
      ·
      3 months ago

      Ffmpeg is used by everybody so you’d hope people are looking at it, but I’m sure there’s security bugs in there, and probably plenty of them, since it’s C parser/decoder code, probably the most dangerous kind of code. I think web browsers do some kind of sandboxing around ffmpeg, plus web browser restrict the kinds of formats they support, but ffmpeg (and peertube?) supports a lot more, many of which will not be audited/fuzzed to the same degree.

      Ideally this would be sandboxed so much it can’t call anything but read(2) and write(2). I have no idea if any of this software does any sandboxing at all.

      Is this any more dangerous than BitTorrenting anime?

      Maybe, depends on the what exactly you’re worried about. There’s potentially political actors that might be interested in fucking with tankie.tube, whereas you can’t really target anyone specifically with bittorrent. Also the attacker knows exactly what software will be used to decode the videos, which makes this easier to exploit. I assume that videos can get uploaded to tankie.tube by basically anybody, and those videos would be sent out to be transcoded on random people’s machines?

      If you assume tankie.tube (maybe peertube in general) is just too small to be on anyone’s radar, then that’s probably fine.

      • TankieTanuki [he/him]@hexbear.netOP
        link
        fedilink
        English
        arrow-up
        5
        ·
        edit-2
        3 months ago

        I assume that videos can get uploaded to tankie.tube by basically anybody,

        Yes.

        and those videos would be sent out to be transcoded on random people’s machines?

        Randomly to anyone entrusted with a token bestowed by me.

        BTW I love your avatar. :3

    • trompete [he/him]@hexbear.net
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      Ffmpeg is used by everybody so you’d hope people are looking at it, but I’m sure there’s security bugs in there, and probably plenty of them, since it’s C parser/decoder code, probably the most dangerous kind of code. I think web browsers do some kind of sandboxing around ffmpeg, plus web browser restrict the kinds of formats they support, but ffmpeg (and peertube?) supports a lot more, many of which will not be audited/fuzzed to the same degree.

      Ideally this would be sandboxed so much it can’t call anything but read(2) and write(2). I have no idea if any of this software does any sandboxing at all.

      Is this any more dangerous than BitTorrenting anime?

      Maybe, depends on the what exactly you’re worried about. There’s potentially political actors that might be interested in fucking with tankie.tube, whereas you can’t really target anyone specifically with bittorrent. Also the attacker knows exactly what software will be used to decode the videos, which makes this easier to exploit. I assume that videos can get uploaded to tankie.tube by basically anybody, and those videos would be sent out to be transcoded on random people’s machines?

      If you assume tankie.tube (maybe peertube in general) is just too small to be on anyone’s radar, then that’s probably fine.