[HN Gopher] YouTube: "Older Unlisted videos will be made Private...
___________________________________________________________________
YouTube: "Older Unlisted videos will be made Private unless you opt
out"
Author : tech234a
Score : 108 points
Date : 2021-06-23 21:09 UTC (1 hours ago)
(HTM) web link (support.google.com)
(TXT) w3m dump (support.google.com)
| judge2020 wrote:
| So the reasoning makes it sound like there was potentially an
| exploit that made it easy to find unlisted videos? Were the video
| IDs deterministic perhaps?
| carl_dr wrote:
| Maybe their old scheme, when divided by the number of videos,
| was getting to the point where it was feasible you could brute
| force finding unlisted videos.
|
| The old scheme had 7.3 x 10^19 ids (11 chars, base 64, thanks
| Tom Scott!). Suspiciously close to the max value of a 64-bit
| int, hmmm ...
|
| Assume a billion videos and you're down to 10^10 - a one in a
| 10 billion chance isn't much chance, but it's far from secure.
|
| (I'm ignoring the fact that only a small %age of videos are
| unlisted I guess, but I think the point still stands.)
| quantumofalpha wrote:
| Yes, exactly. Video ID is just a base64'ed DES-encrypted
| primary int64 video key from MySQL. It used to be sequentially
| incremented until at some point they switched to randomly
| generated primary keys. Any (ex-) engineer who snapped a copy
| of the key (it used to sit right in the code for anyone to see)
| can enumerate all videos from YT until that moment, including
| unlisted - which are only protected by secrecy of that one key.
| If the key leaks, then also anyone in the world can. That's
| what they are afraid of here. Source: worked for YT.
| ktm8 wrote:
| Just for curiosity, how would YT deal with ID collision ?
|
| Edit: Before the scheme change I mean
| root_axis wrote:
| Try again? Just a guess.
| remram wrote:
| Probably they just roll again. You can even implement that
| in a stored procedure.
| Animats wrote:
| I need to move some of my early technical videos to Vimeo now. I
| never connected my pre-Google YouTube account to Google, and so I
| can't do anything with them. It's been over a year since I logged
| into Google, anyway.
| contingencies wrote:
| Please share the URL! I always appreciate your hardware
| comments and would love to see what you've shared in video
| format.
| throwawaysea wrote:
| A related frustration for me is when I have random videos in my
| "watch later" list replaced with a gray square and a note saying
| the video is no longer unavailable or has been made private.
| Since I don't even get any details of what the video was
| (title/channel/description), I can't go find it elsewhere. It's
| like having a song deleted from a playlist silently. It makes me
| wonder if I should even rely on Google's features for this sort
| of thing, or maintain a list elsewhere.
| contingencies wrote:
| Almost like submitting to centralized gatekeeping is a crime
| against public culture, intellectual history and social
| integrity... wait... what are we all building again?
| varispeed wrote:
| These days I use ytdl instead of watch later... A friend sent
| me a link to an amazing tech tutorial someone made and they
| wasn't sure whether that is their thing. Of course they
| received a lot of abuse from internet trolls and later deleted
| the video and disappeared. I was never able to find that video
| again and since then I always download.
| echelon wrote:
| Google the URL. You'll often find it in the Google cache or
| linked from somewhere else with the full description. This can
| sometimes be enough information to find an alternate source.
| judge2020 wrote:
| The thing that makes this fishy is that I also received an email
| for my Google Workspace organization about link sharing changing
| for Google Drive for a security update, and the date it initially
| takes effect is the same day at this YouTube thing, July 23.
|
| https://support.google.com/a/answer/10685032?hl=en
|
| Could something have happened across their entire Zanzibar/ ACL
| infrastructure?
| tenerifevisitor wrote:
| What is Zanzibar?
| tech234a wrote:
| YouTube mentions the Drive change on their blog post[1], and
| Drive mentions the YouTube change on theirs[2].
|
| [1]: https://blog.youtube/news-and-events/update-youtube-
| unlisted...
|
| [2]: https://workspaceupdates.googleblog.com/2021/06/drive-
| file-l...
| xxpor wrote:
| I completely thought the email I got for this (for my personal
| Google app domain) was a phishing attempt. Why couldn't they
| have included the text in the email rather than some generic
| sketchy "You have a notification" nonsense?
| llacb47 wrote:
| Could you explain what that is?
| jzelinskie wrote:
| The permissions service at Google. For more details see:
| https://authzed.com/blog/what-is-zanzibar/
| chx wrote:
| https://research.google/pubs/pub48190/
| pininja wrote:
| This seems to be a planned change related to a new link generator
| they released in 2017 [1]. You can opt out here [2] if an old
| video is effected. It seems like the unlisted feature is
| otherwise unchanged. I suppose you can also flip an effected
| video back to unlisted and get a new link after this goes into
| effect.
|
| [1]
| https://support.google.com/youtube/thread/114633828/changes-...
|
| [2] https://support.google.com/youtube/answer/9230970
| dukeofdoom wrote:
| I guess that means you can't put your Dead Man Switch video on
| youtube anymore. How far into the future can you schedule a video
| anyway.
| barosl wrote:
| That's unfortunate. I have a few videos which seems to have been
| forgotten even by their uploaders. Those videos would probably
| not be updated. I guess I need to back them up manually.
| james-skemp wrote:
| Or uploaders who have died and may have unlisted videos and
| linked to them in descriptions or comments.
|
| I don't recall the creator, but I do recall a video series that
| used links in the videos that pointed to other videos for a
| basic quiz or choose your own adventure.
| Causality1 wrote:
| Yes. I always tell people that if they really love a YouTube
| video they need to archive it themselves. Tons and tons of
| content gets erased all the time for many different reasons.
| Just recently I found two of my favorite channels, popular
| around a decade ago, had deleted almost all their content
| because their jokes were too offensive for today's audience and
| they wanted to project a more mature aesthetic. That would've
| been a huge chunk of my early adulthood gone forever if I
| hadn't already had copies of all their videos.
| bmurphy1976 wrote:
| I have one video in my favorites that is marked as unavailable.
| This drives me crazy I'll never know what that video was. I
| only have a couple videos in my favorites and every single one
| of them is important to me.
|
| If you can back them up.
| brokenmachine wrote:
| I have hundreds of missing videos in my various lists.
|
| I wish youtube would at least keep the title there so you
| know what it is that has been lost.
|
| Welcome to the alzheimic future.
| nipponese wrote:
| Does youtube-dl support playlists?
| globular-toast wrote:
| This is what I use youtubedl for. I don't trust Google to keep
| stuff I'm interested in available forever.
| btown wrote:
| A welcome move for individuals who may have embarrassing content
| as Unlisted links. Future politicians will thank you. But... this
| will hit B2B product training and product marketing libraries
| _hard_. Many companies I 've seen have help pages with embedded
| or linked videos for features not updated in years, and many of
| those embeds are Unlisted videos so that they're only seen in the
| context of their help article, not promoted randomly by the
| YouTube algorithm. Some may have legacy content on legacy "X Corp
| Training" YouTube channels where nobody knows how to opt out of
| this policy shift. And especially post-COVID, they may no longer
| have the same technology and training teams, if they have any at
| all. They may not even have the YouTube login.
|
| I could see a policy where YouTube made Unlisted videos Private
| that only had referrers from social media; this would be a
| welcome compromise to ensure non-guessability of URLs. But I can
| also see how this could become complicated and political. And
| companies using YouTube in this way aren't really contributing to
| YouTube's revenue materially, so there's not much incentive
| relative to the reputational risk of people guessing Unlisted
| links.
|
| I shudder to think that healthcare professionals or heavy-
| machinery operators might be relying on these links to be trained
| in systems they use, will start to see broken links, will never
| report them back to the right people at their system providers,
| will just not get the full training, will make mistakes, and
| might cause harm as a result.
|
| Security is _not_ the only component of safety, and impacts need
| to be evaluated holistically.
| app4soft wrote:
| > _A welcome move for individuals who may have embarrassing
| content as Unlisted links._
|
| All those "early access" on Patreon.
| [deleted]
| newsclues wrote:
| Maybe critical training materials should not be published to
| YouTube?
| dathinab wrote:
| Seems reasonable tbh. even through it might "hit" some hidden and
| mostly forgotten gems.
| falcolas wrote:
| Doesn't to me. Patreon tier-restricted videos, not to mention
| family shared videos, fall into this category, and not all
| creators are savy enough to know they need to do this.
| jackson1442 wrote:
| Did they send an email to affected accounts? There seems to
| be a logical reason for this (newer unlisted videos have a
| more secure url generator), so I'd say this is neutral at
| worst.
| MauranKilom wrote:
| Some of my videos would be affected and I got an email from
| them. Seems reasonable to me.
|
| Of course, there is probably a large number of currently
| unlisted videos from accounts that are no longer active,
| which would effectively be lost after this change.
| Unfortunate.
| jackson1442 wrote:
| It'd be interesting if Google had made this only apply to
| accounts that have had activity in, say, the last six
| months. If an account logs in and was skipped due to
| inactivity, it would then be appropriate to prompt them
| for their decision.
|
| That, of course, requires significantly more engineering
| so I can see why it didn't happen.
| varispeed wrote:
| Now I regret not saving at least a list of links of some of the
| videos :(
|
| How people who died are supposed to tick the box :/
| anfilt wrote:
| I was thinking the same not everyone is sadly still around to
| make sure their content does not go basically poof.
| prometheus76 wrote:
| The opt-out process only takes 30 seconds.
| mankyd wrote:
| Link to the form:
| https://support.google.com/youtube/contact/older_unlisted_up...
| falcolas wrote:
| The problem isn't the opt-out time, it's the lag time to
| identify that you _need to opt out_. That could be years, or
| (effectively) forever.
|
| The creators might no longer be with us, to boot.
| varispeed wrote:
| What if the uploader of videos died? How are they supposed to
| do that...
| dragonwriter wrote:
| > What if the uploader of videos died?
|
| Google has process for handling accounts of the deceased
| (mostly for closing them and exporting some data, which can
| then be moved to a new account). Or individuals could assure
| that next of kin get credentials to their account for
| control.
|
| But, yeah, a zombie account (without any active owner) won't
| be able to opt out.
| kmfrk wrote:
| Very, very drastic, but this is basically the public S3 bucket
| approach to locking down private data leaked by accident.
|
| Maybe another video category would have made for better
| distinction.
| beebeepka wrote:
| I think it's mostly a good thing but it's Google so there must be
| an angle. Am I too jaded?
| mjfl wrote:
| caching efficiency probably.
| axiosgunnar wrote:
| Or making private videos a paid feature?
| CamperBob2 wrote:
| Weird thing to downvote. I'd like to be able to pay to
| ensure that no ads are placed on my own B2B videos, myself.
| mankyd wrote:
| > Am I too jaded?
|
| Yes.
|
| Edit: they give the reason explicitly
| https://support.google.com/youtube/thread/114633828/changes-...
|
| > Why? In 2017, we rolled out a security update to the system
| that generates new Unlisted video links. This update included
| security enhancements that make the links for your Unlisted
| videos even harder for someone to discover if you haven't
| shared the link with them. We're now making changes to older
| Unlisted videos that were uploaded before this update took
| place.
| [deleted]
| fortenforge wrote:
| yes
| DevKoala wrote:
| Can they monetize the content that is being hidden? If not,
| perhaps that's the answer.
| coliveira wrote:
| Reducing costs in storage/caching.
| echelon wrote:
| I don't think so.
|
| With respect to storage, there's a provision to delete old
| videos in the EULA at any time Google chooses. Eventually
| Google will pull the trigger.
|
| Caching, I'm not so sure, but I'd be surprised if hiding old
| unlisted videos freed up enough of it to matter. New videos
| probably dominate cache storage.
| hellbannedguy wrote:
| I think it might be legal.
|
| When Google bought Youtube Videos, I followed their directions
| on the new password, etc.
|
| Something went wrong, and I couldn't delete, or edit my own
| videos.
|
| They weren't that embarassening, but I used youtube originally
| as kind of a diary, or todo list.
|
| I tried for awhile to get them off, but failed, and just gave
| up.
|
| I did reach a human in advertising one day, and she told me,
| "Those issues are not what they hired he fooor. Try the help
| boards?". (She brought back memories of certian new college
| grads, and I realized how difficult it is to talk to a human at
| Google.)
|
| Anyway--the vids are still up their years later, with people
| telling me how lousy they are. I just commented on my own
| videos. Telling people at one time, some uploaders just posted
| without thinking about clicks.
___________________________________________________________________
(page generated 2021-06-23 23:00 UTC)