Discussion in 'Computer Audiophile: Software, Configs, Tools' started by AllanMarcus, Jul 3, 2016.
This is what I thought. Thanks for your input.
That is until the 'Roon Arc Exploit' comes out
You know, the software guys that work at Roon probably don't have core competency with internet services (Bob Stuart is their mentor and inspiration after all ). I agree that the risk is relatively low, lower then some other things a typical person does with their network. Still, security through obscurity may well be the saving grace here - Roon is a niche of a niche of a niche...
Yeah, I mean... it's an open port. Look inside your Roon Remote settings at the ARC tab, it'll tell you which port you have open. Anyone on the internet can connect to that port, and from that point on, you're entirely at the mercy of Roon's software quality not to have buffer overflows or XML parsing vulnerabilities or whatever else.
If their software is buggy, an attacker now has permission on the machine where you have Roon installed to do whatever the user running the Roon service can do (at the very least, probably delete all your music). If that machine has an open privilege escalation exploit (and if you're not assiduous about updating it, it might), now they have root on that machine and can do anything on it. And even without that, now they're inside your network, and can probe around for other gaps or open file shares or insecure smart lightbulbs to turn into DDoS bots, or whatever else.
It's a real risk, and the main mitigating factor is that Roon is too obscure for most people to give a shit trying to hack Roon. But security through obscurity only works until it doesn't. So hopefully Roon is really good at network security?
Roon operates on the .NET runtime; while not impossible, C#'s memory management makes it significantly tougher for most buffer exploits to occur.
For a moment there, I thinking of MQA .
No. They can try and connect to that port. That's a not so subtle difference to what you said.
For me, security through invisibility is my preference
Even before ARC, that's why my Roon Core is a standalone Linux box, frequently updated, with no privileged access to anything else on the same LAN. Yeah, it could try to hack my iot gadgets, I have other measures on this network to reduce outbound risk. In an ideal world they'd be using something like QUIC but apparently there aren't yet robust implementations for all the platforms Roon is on.
Quality is perfectly fine for listening while driving/walking, which is all I was expecting form it.
I use Roon at home and Spotify (paid) in the car. I don't think Arc is going to change that picture for me.
Heads up that Roon Core 2.0 won't run on older Mac and Windows systems (minimum requirement are macOS 10.15 Catalina and Windows 10). Notably, older models of Mac Mini can't run Catalina.
The crazy thing is that Roon 2.0 will go ahead and install itself onto incompatible devices . Some users who were running old systems upgraded and got stuck, and it's a hassle to downgrade back to 1.8.
On the flip side, it now supports Apple silicon natively.
Yes. Roon is now using .NET instead of Mono for the Mac version which not only supports Apple Silicon natively, it also has MUCH better memory management. This has not only improved performance on the M1 Macs, but it has also fixed the memory leak problems some users were seeing.
Roon 2.0 will not work without an internet connection. They offloaded some functionality to their servers. When the internet is down, Roon 2.0 is not able to play local music files. A big discussion going on in the Roon community forums.
It doesn't immediately stop if you're using ROCK, at least - i restarted my network infrastructure this morning down to the VDSL modem and it kept playing.
Meh, I'm geeky enough that I keep FB2k and JRiver up to date, not to mention UAPP on my phone that does Qobuz too.
Yep, Danny in his usual pleasant way confirms. Sons of bitches...
Apparently users that want offline access can stay on version 1.8 Legacy, which won't prompt an upgrade. Seems much of this was focused on not having to maintain offline search functionality. I don't get why basic search of a local library and metadata would be difficult to maintain in offline mode, just not having full search or "Valence" functionality.
OMG... what a horrible design decision.
Even in an industry (software) that is known for their myopic view of how their customers actually use and relate to their product, this decision surprises me.
I experimented briefly, dropping my network (and thus internet) connection. With no internet, Roon will not start up at all, hanging early on in the startup process. If you start up Roon with internet, and then drop your connection, it will run a few minutes and you can add/subtract/play local files, but I'm not sure for how long.
Separate names with a comma.