Stealing From Thieves

Join us for our monthly meetup! This month’s speaker is Nicholas Anastasi and Juan Pablo (JP) Gomez Postigo giving their talk: Stealing From Thieves!

Remember running uTorrent to grab movies and music back in the day? Things have changed. Media piracy has evolved into polished, automated "homelab stacks" built on tools like Sonarr, Radarr, and their "Servarr" siblings. These stacks are assembled with dashboards, request portals, and media servers such as Plex and Jellyfin. With just a few clicks, anyone can stand up a streaming empire at home.

But that convenience comes with an attack surface. These projects share code, reuse the same defaults, and often skip security altogether. We'll demonstrate how code-level vulnerabilities, such as authentication bypasses, insecure backup handling, and exposed services, put entire homelabs at risk. Along the way, we'll trace how hobbyist automation turned into a monoculture ripe for compromise, and why, as always, putting stuff on the Internet can be a bad idea.

Nicholas Anastasi is the Director of Technical Operations at Sprocket Security where he hacks on companies and code. In his free time, Nicholas is an avid ultra distance runner with a serious addiction to candy. Nicholas has spoken at several conferences on various topics such as social engineering, password spraying and Active Directory attack paths.

Juan Pablo (JP) Gomez Postigo is a Penetration tester at Sprocket Security. As a graduate from Marquette University with a degree in BioComputer Engineering, JP has been immersed in the world of cybersecurity for the past four years and is also a member of the US Cyber Team. When he’s not breaking things, JP enjoys archery, running, rock climbing, and 3D printing in his workshop.