[HN Gopher] YouTube: "Older Unlisted videos will be made Private... ___________________________________________________________________ YouTube: "Older Unlisted videos will be made Private unless you opt out" Author : tech234a Score : 108 points Date : 2021-06-23 21:09 UTC (1 hours ago) (HTM) web link (support.google.com) (TXT) w3m dump (support.google.com) | judge2020 wrote: | So the reasoning makes it sound like there was potentially an | exploit that made it easy to find unlisted videos? Were the video | IDs deterministic perhaps? | carl_dr wrote: | Maybe their old scheme, when divided by the number of videos, | was getting to the point where it was feasible you could brute | force finding unlisted videos. | | The old scheme had 7.3 x 10^19 ids (11 chars, base 64, thanks | Tom Scott!). Suspiciously close to the max value of a 64-bit | int, hmmm ... | | Assume a billion videos and you're down to 10^10 - a one in a | 10 billion chance isn't much chance, but it's far from secure. | | (I'm ignoring the fact that only a small %age of videos are | unlisted I guess, but I think the point still stands.) | quantumofalpha wrote: | Yes, exactly. Video ID is just a base64'ed DES-encrypted | primary int64 video key from MySQL. It used to be sequentially | incremented until at some point they switched to randomly | generated primary keys. Any (ex-) engineer who snapped a copy | of the key (it used to sit right in the code for anyone to see) | can enumerate all videos from YT until that moment, including | unlisted - which are only protected by secrecy of that one key. | If the key leaks, then also anyone in the world can. That's | what they are afraid of here. Source: worked for YT. | ktm8 wrote: | Just for curiosity, how would YT deal with ID collision ? | | Edit: Before the scheme change I mean | root_axis wrote: | Try again? Just a guess. | remram wrote: | Probably they just roll again. You can even implement that | in a stored procedure. | Animats wrote: | I need to move some of my early technical videos to Vimeo now. I | never connected my pre-Google YouTube account to Google, and so I | can't do anything with them. It's been over a year since I logged | into Google, anyway. | contingencies wrote: | Please share the URL! I always appreciate your hardware | comments and would love to see what you've shared in video | format. | throwawaysea wrote: | A related frustration for me is when I have random videos in my | "watch later" list replaced with a gray square and a note saying | the video is no longer unavailable or has been made private. | Since I don't even get any details of what the video was | (title/channel/description), I can't go find it elsewhere. It's | like having a song deleted from a playlist silently. It makes me | wonder if I should even rely on Google's features for this sort | of thing, or maintain a list elsewhere. | contingencies wrote: | Almost like submitting to centralized gatekeeping is a crime | against public culture, intellectual history and social | integrity... wait... what are we all building again? | varispeed wrote: | These days I use ytdl instead of watch later... A friend sent | me a link to an amazing tech tutorial someone made and they | wasn't sure whether that is their thing. Of course they | received a lot of abuse from internet trolls and later deleted | the video and disappeared. I was never able to find that video | again and since then I always download. | echelon wrote: | Google the URL. You'll often find it in the Google cache or | linked from somewhere else with the full description. This can | sometimes be enough information to find an alternate source. | judge2020 wrote: | The thing that makes this fishy is that I also received an email | for my Google Workspace organization about link sharing changing | for Google Drive for a security update, and the date it initially | takes effect is the same day at this YouTube thing, July 23. | | https://support.google.com/a/answer/10685032?hl=en | | Could something have happened across their entire Zanzibar/ ACL | infrastructure? | tenerifevisitor wrote: | What is Zanzibar? | tech234a wrote: | YouTube mentions the Drive change on their blog post[1], and | Drive mentions the YouTube change on theirs[2]. | | [1]: https://blog.youtube/news-and-events/update-youtube- | unlisted... | | [2]: https://workspaceupdates.googleblog.com/2021/06/drive- | file-l... | xxpor wrote: | I completely thought the email I got for this (for my personal | Google app domain) was a phishing attempt. Why couldn't they | have included the text in the email rather than some generic | sketchy "You have a notification" nonsense? | llacb47 wrote: | Could you explain what that is? | jzelinskie wrote: | The permissions service at Google. For more details see: | https://authzed.com/blog/what-is-zanzibar/ | chx wrote: | https://research.google/pubs/pub48190/ | pininja wrote: | This seems to be a planned change related to a new link generator | they released in 2017 [1]. You can opt out here [2] if an old | video is effected. It seems like the unlisted feature is | otherwise unchanged. I suppose you can also flip an effected | video back to unlisted and get a new link after this goes into | effect. | | [1] | https://support.google.com/youtube/thread/114633828/changes-... | | [2] https://support.google.com/youtube/answer/9230970 | dukeofdoom wrote: | I guess that means you can't put your Dead Man Switch video on | youtube anymore. How far into the future can you schedule a video | anyway. | barosl wrote: | That's unfortunate. I have a few videos which seems to have been | forgotten even by their uploaders. Those videos would probably | not be updated. I guess I need to back them up manually. | james-skemp wrote: | Or uploaders who have died and may have unlisted videos and | linked to them in descriptions or comments. | | I don't recall the creator, but I do recall a video series that | used links in the videos that pointed to other videos for a | basic quiz or choose your own adventure. | Causality1 wrote: | Yes. I always tell people that if they really love a YouTube | video they need to archive it themselves. Tons and tons of | content gets erased all the time for many different reasons. | Just recently I found two of my favorite channels, popular | around a decade ago, had deleted almost all their content | because their jokes were too offensive for today's audience and | they wanted to project a more mature aesthetic. That would've | been a huge chunk of my early adulthood gone forever if I | hadn't already had copies of all their videos. | bmurphy1976 wrote: | I have one video in my favorites that is marked as unavailable. | This drives me crazy I'll never know what that video was. I | only have a couple videos in my favorites and every single one | of them is important to me. | | If you can back them up. | brokenmachine wrote: | I have hundreds of missing videos in my various lists. | | I wish youtube would at least keep the title there so you | know what it is that has been lost. | | Welcome to the alzheimic future. | nipponese wrote: | Does youtube-dl support playlists? | globular-toast wrote: | This is what I use youtubedl for. I don't trust Google to keep | stuff I'm interested in available forever. | btown wrote: | A welcome move for individuals who may have embarrassing content | as Unlisted links. Future politicians will thank you. But... this | will hit B2B product training and product marketing libraries | _hard_. Many companies I 've seen have help pages with embedded | or linked videos for features not updated in years, and many of | those embeds are Unlisted videos so that they're only seen in the | context of their help article, not promoted randomly by the | YouTube algorithm. Some may have legacy content on legacy "X Corp | Training" YouTube channels where nobody knows how to opt out of | this policy shift. And especially post-COVID, they may no longer | have the same technology and training teams, if they have any at | all. They may not even have the YouTube login. | | I could see a policy where YouTube made Unlisted videos Private | that only had referrers from social media; this would be a | welcome compromise to ensure non-guessability of URLs. But I can | also see how this could become complicated and political. And | companies using YouTube in this way aren't really contributing to | YouTube's revenue materially, so there's not much incentive | relative to the reputational risk of people guessing Unlisted | links. | | I shudder to think that healthcare professionals or heavy- | machinery operators might be relying on these links to be trained | in systems they use, will start to see broken links, will never | report them back to the right people at their system providers, | will just not get the full training, will make mistakes, and | might cause harm as a result. | | Security is _not_ the only component of safety, and impacts need | to be evaluated holistically. | app4soft wrote: | > _A welcome move for individuals who may have embarrassing | content as Unlisted links._ | | All those "early access" on Patreon. | [deleted] | newsclues wrote: | Maybe critical training materials should not be published to | YouTube? | dathinab wrote: | Seems reasonable tbh. even through it might "hit" some hidden and | mostly forgotten gems. | falcolas wrote: | Doesn't to me. Patreon tier-restricted videos, not to mention | family shared videos, fall into this category, and not all | creators are savy enough to know they need to do this. | jackson1442 wrote: | Did they send an email to affected accounts? There seems to | be a logical reason for this (newer unlisted videos have a | more secure url generator), so I'd say this is neutral at | worst. | MauranKilom wrote: | Some of my videos would be affected and I got an email from | them. Seems reasonable to me. | | Of course, there is probably a large number of currently | unlisted videos from accounts that are no longer active, | which would effectively be lost after this change. | Unfortunate. | jackson1442 wrote: | It'd be interesting if Google had made this only apply to | accounts that have had activity in, say, the last six | months. If an account logs in and was skipped due to | inactivity, it would then be appropriate to prompt them | for their decision. | | That, of course, requires significantly more engineering | so I can see why it didn't happen. | varispeed wrote: | Now I regret not saving at least a list of links of some of the | videos :( | | How people who died are supposed to tick the box :/ | anfilt wrote: | I was thinking the same not everyone is sadly still around to | make sure their content does not go basically poof. | prometheus76 wrote: | The opt-out process only takes 30 seconds. | mankyd wrote: | Link to the form: | https://support.google.com/youtube/contact/older_unlisted_up... | falcolas wrote: | The problem isn't the opt-out time, it's the lag time to | identify that you _need to opt out_. That could be years, or | (effectively) forever. | | The creators might no longer be with us, to boot. | varispeed wrote: | What if the uploader of videos died? How are they supposed to | do that... | dragonwriter wrote: | > What if the uploader of videos died? | | Google has process for handling accounts of the deceased | (mostly for closing them and exporting some data, which can | then be moved to a new account). Or individuals could assure | that next of kin get credentials to their account for | control. | | But, yeah, a zombie account (without any active owner) won't | be able to opt out. | kmfrk wrote: | Very, very drastic, but this is basically the public S3 bucket | approach to locking down private data leaked by accident. | | Maybe another video category would have made for better | distinction. | beebeepka wrote: | I think it's mostly a good thing but it's Google so there must be | an angle. Am I too jaded? | mjfl wrote: | caching efficiency probably. | axiosgunnar wrote: | Or making private videos a paid feature? | CamperBob2 wrote: | Weird thing to downvote. I'd like to be able to pay to | ensure that no ads are placed on my own B2B videos, myself. | mankyd wrote: | > Am I too jaded? | | Yes. | | Edit: they give the reason explicitly | https://support.google.com/youtube/thread/114633828/changes-... | | > Why? In 2017, we rolled out a security update to the system | that generates new Unlisted video links. This update included | security enhancements that make the links for your Unlisted | videos even harder for someone to discover if you haven't | shared the link with them. We're now making changes to older | Unlisted videos that were uploaded before this update took | place. | [deleted] | fortenforge wrote: | yes | DevKoala wrote: | Can they monetize the content that is being hidden? If not, | perhaps that's the answer. | coliveira wrote: | Reducing costs in storage/caching. | echelon wrote: | I don't think so. | | With respect to storage, there's a provision to delete old | videos in the EULA at any time Google chooses. Eventually | Google will pull the trigger. | | Caching, I'm not so sure, but I'd be surprised if hiding old | unlisted videos freed up enough of it to matter. New videos | probably dominate cache storage. | hellbannedguy wrote: | I think it might be legal. | | When Google bought Youtube Videos, I followed their directions | on the new password, etc. | | Something went wrong, and I couldn't delete, or edit my own | videos. | | They weren't that embarassening, but I used youtube originally | as kind of a diary, or todo list. | | I tried for awhile to get them off, but failed, and just gave | up. | | I did reach a human in advertising one day, and she told me, | "Those issues are not what they hired he fooor. Try the help | boards?". (She brought back memories of certian new college | grads, and I realized how difficult it is to talk to a human at | Google.) | | Anyway--the vids are still up their years later, with people | telling me how lousy they are. I just commented on my own | videos. Telling people at one time, some uploaders just posted | without thinking about clicks. ___________________________________________________________________ (page generated 2021-06-23 23:00 UTC)