|
| 1 | +<!doctype html> |
| 2 | +<meta charset="utf-8"> |
| 3 | +<head> |
| 4 | + |
| 5 | +<link rel="stylesheet" href="../../../../../static/normalize.css"> |
| 6 | +<link rel="stylesheet" href="../../../../../static/skeleton.css"> |
| 7 | +<link rel="stylesheet" href="../../../../../static/style.css"> |
| 8 | +<link rel="stylesheet" href="../../../../../static/pygments.css"> |
| 9 | + |
| 10 | +<link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png"> |
| 11 | +<link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png"> |
| 12 | +<link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png"> |
| 13 | +<link rel="manifest" href="/site.webmanifest"> |
| 14 | + |
| 15 | +<!-- Mobile Specific Metas |
| 16 | +–––––––––––––––––––––––––––––––––––––––––––––––––– --> |
| 17 | +<meta name="viewport" content="width=device-width, initial-scale=1"> |
| 18 | + |
| 19 | +<!-- FONT |
| 20 | +–––––––––––––––––––––––––––––––––––––––––––––––––– --> |
| 21 | + |
| 22 | +<title>Stealing From Thieves — MadPy</title> |
| 23 | + |
| 24 | + |
| 25 | + <meta property="og:image" content="https://madpy.com/static/images/2026-03-05-Stealing-From-Thieves-social-card-1200x630.png"/> |
| 26 | + <meta property="og:image:width" content="1200"/> |
| 27 | + <meta property="og:image:height" content="630"/> |
| 28 | + |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | + <meta property="og:title" content="Stealing From Thieves, Thu, Mar 5 @ 6:30 PM | MadPy"/> |
| 33 | + |
| 34 | + |
| 35 | + |
| 36 | + |
| 37 | + <meta property="og:description" content="Come join MadPy for a deep dive into the security risks lurking in modern media piracy homelabs. Learn how popular automation tools like Sonarr and Radarr have created a monoculture of interconnected services—and why that's a hacker's dream. Nicholas Anastasi reveals real vulnerabilities from authentication bypasses to exposed backups that put entire streaming empires at risk. Because convenience and security rarely go hand in hand."/> |
| 38 | + |
| 39 | + |
| 40 | +</head> |
| 41 | +<body> |
| 42 | + <div class="container"> |
| 43 | + |
| 44 | + <div class="row"> |
| 45 | + <div class="three columns"> |
| 46 | + <nav> |
| 47 | + <h3 id="logo"><img src="../../../../../static/images/madpy-logo.svg" alt="MadPy logo" width="200" height="200"></h3> |
| 48 | + <ul> |
| 49 | + <li><a href="../../../../../">About</a></li> |
| 50 | + |
| 51 | + <li class="active"><a href="../../../../">Events</a></li> |
| 52 | + |
| 53 | + <li><a href="../../../../../bookclub/">Book Club</a></li> |
| 54 | + |
| 55 | + <li><a href="../../../../../sponsorship/">Sponsorship</a></li> |
| 56 | + |
| 57 | + <li><a target="_blank" href="https://slack.madpy.com/">Slack</a></li> |
| 58 | + <li><a target="_blank" rel="me" href="https://fosstodon.org/@madpy">Mastodon</a> |
| 59 | + <li><a target="_blank" href="https://github.com/madison-python">GitHub</a> |
| 60 | + <li><a target="_blank" href="https://www.meetup.com/MadPython/">Meetup.com</a> |
| 61 | + <li><a target="_blank" href="/survey">Survey</a></li> |
| 62 | + </ul> |
| 63 | + </nav> |
| 64 | + |
| 65 | + </div> |
| 66 | + |
| 67 | + <div class="nine columns"> |
| 68 | + |
| 69 | + |
| 70 | + <div class="blog-post"> |
| 71 | + |
| 72 | + <h2>Stealing From Thieves</h2> |
| 73 | + |
| 74 | + <p class="meta"> |
| 75 | + Presented by: |
| 76 | + |
| 77 | + Nicholas Anastasi |
| 78 | + |
| 79 | + <br /><br /> |
| 80 | + Thursday, March 5 2026, 6:30 PM<br /> |
| 81 | + Madison Public Library, 201 W Mifflin St, Room 302 [<a href="https://maps.app.goo.gl/UpdANHPrWpstdDHe6">Map</a>]<br /> |
| 82 | + RSVP on <a href="https://www.meetup.com/madison-python/events/313483906/">Meetup</a> |
| 83 | + |
| 84 | + </p> |
| 85 | + <p><img src="../../../../../static/images/2026-03-05-Stealing-From-Thieves-social-card-1536x1024.png" alt=""></p> |
| 86 | +<p>Remember running uTorrent to grab movies and music back in the day? Things have changed. Media piracy has evolved into polished, automated "homelab stacks" built on tools like Sonarr, Radarr, and their "Servarr" siblings. These stacks are assembled with dashboards, request portals, and media servers such as Plex and Jellyfin. With just a few clicks, anyone can stand up a streaming empire at home.</p> |
| 87 | +<p>But that convenience comes with an attack surface. These projects share code, reuse the same defaults, and often skip security altogether. We'll demonstrate how code-level vulnerabilities, such as authentication bypasses, insecure backup handling, and exposed services, put entire homelabs at risk. Along the way, we'll trace how hobbyist automation turned into a monoculture ripe for compromise, and why, as always, putting stuff on the Internet can be a bad idea.</p> |
| 88 | +<p>Nicholas Anastasi is the Director of Technical Operations at Sprocket Security where he hacks on companies and code. In his free time, Nicholas is an avid ultra distance runner with a serious addiction to candy. Nicholas has spoken at several conferences on various topics such as social engineering, password spraying and Active Directory attack paths.</p> |
| 89 | + |
| 90 | + </div> |
| 91 | + |
| 92 | + |
| 93 | + </div> |
| 94 | + |
| 95 | + </div> |
| 96 | + </div> |
| 97 | + |
| 98 | +<!-- JS |
| 99 | +================================================== --> |
| 100 | +<script src="http://code.jquery.com/jquery-1.7.1.min.js"></script> |
| 101 | + |
| 102 | +<!-- <script> |
| 103 | + (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ |
| 104 | + (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), |
| 105 | + m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
| 106 | + })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); |
| 107 | +
|
| 108 | + ga('create', 'UA-100252062-1', 'auto'); |
| 109 | + ga('send', 'pageview'); |
| 110 | +
|
| 111 | +</script> --> |
| 112 | +</body> |
0 commit comments