Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Trolling Github's DMCA repo with their own security flaws.

Add new Youtube-dl copy to DMCA repo

  1. Fork https://github.com/github/dmca
  2. Download latest youtube-dl source code from https://yt-dl.org/latest
  3. Extract
    tar -xvf youtube-dl-2020.09.20.tar.gz
    
  4. Push code to your fork as the GitHub CEO
    cd youtube-dl-2020.09.20
    git init
    git add .
    git config user.email "nat@github.com"
    git config user.name "Nat Friedman"
    git commit -m "Your message to the RIAA and GitHub Here"
    git remote add origin git@github.com:YOURUSER/dmca
    git push -f origin master
    
  5. Get new URL to share!
    echo "https://github.com/github/dmca/tree/$(git rev-parse HEAD)"
    

Clone hidden repo from DMCA repo:

git clone -n https://github.com/github/dmca.git youtube-dl
cd youtube-dl
git fetch origin 416da574ec0df3388f652e44f7fe71b1e3a4701f
git checkout FETCH_HEAD
@RubberDuckShobe

This comment has been minimized.

Copy link

@RubberDuckShobe RubberDuckShobe commented Oct 27, 2020

oh my god, this is gold

@jedrekk

This comment has been minimized.

Copy link

@jedrekk jedrekk commented Oct 27, 2020

https://yt-dl.org/latest is the correct URL

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 27, 2020

This is fucking brilliant...

Even better than when I submitted a bug where you can view a private repos commits and contributors. That still works.

@SvenZ64

This comment has been minimized.

Copy link

@SvenZ64 SvenZ64 commented Oct 27, 2020

You're doing god's work. Don't mess with us again ;)

@wpgaurav

This comment has been minimized.

Copy link

@wpgaurav wpgaurav commented Oct 27, 2020

I freaking loved this.

@KlfJoat

This comment has been minimized.

Copy link

@KlfJoat KlfJoat commented Oct 27, 2020

Even better than when I submitted a bug where you can view a private repos commits and contributors. That still works.

@davwheat Want to share that bug report... for science?

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 27, 2020

I would, but I don't remember the exact details. It revolved around needing forks of the private repo, but even if it was an old copy of the repo, you could still see newer commits in the Network tab.

@stephen304

This comment has been minimized.

Copy link

@stephen304 stephen304 commented Oct 27, 2020

I would, but I don't remember the exact details. It revolved around needing forks of the private repo, but even if it was an old copy of the repo, you could still see newer commits in the Network tab.

This is what I was wondering about when I made the merge commit that pushed ytdl to dmca. That bug still works?

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 27, 2020

Got it!

click to expand

Screenshot_2020-10-27-20-55-32-79

@KlfJoat

This comment has been minimized.

Copy link

@KlfJoat KlfJoat commented Oct 27, 2020

THANKS!!!

That "repository network" explanation looks like it might also explain the behavior that @lrvick is exploiting in this gist.

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 27, 2020

Yep! It definitely is... Wait... Does that mean I can see the contents of the other private repo from the fork?? Lemme test this on a corporate repo I have access to...

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 27, 2020

Oh my god... That is hilarious.

image

@09F911029D74E35BD84156C5635688plusC0

This comment has been minimized.

Copy link

@09F911029D74E35BD84156C5635688plusC0 09F911029D74E35BD84156C5635688plusC0 commented Oct 28, 2020

I created a alt account on GitHub to test this out. It doesnt work? Did I forget to set up something on my alt?

image

@stephen304

This comment has been minimized.

Copy link

@stephen304 stephen304 commented Oct 28, 2020

I noticed that they removed my PR as well as one made by youtube-dl2 (both seem to be the only 2 that involved youtube-dl commits), maybe that could be related. This has been left up wayy longer than I thought it would be.

@lrvick

This comment has been minimized.

Copy link
Owner Author

@lrvick lrvick commented Oct 28, 2020

youtubedl2: still up https://github.com/github/dmca//tree/19441f8f51759e59df62f667791385034564c5be

Can't see yours @stephen304.

You don't need a PR. You just need to still have a copy of the forked dmca repo on your account (or have commented on it on their account to "lock" it to their account)

@lrvick

This comment has been minimized.

Copy link
Owner Author

@lrvick lrvick commented Oct 28, 2020

@09F911029D74E35BD84156C5635688plusC0 that simply looks like you didn't setup any ssh keys on your account?

This should not be empty: https://github.com/09F911029D74E35BD84156C5635688plusC0.keys

@09F911029D74E35BD84156C5635688plusC0

This comment has been minimized.

Copy link

@09F911029D74E35BD84156C5635688plusC0 09F911029D74E35BD84156C5635688plusC0 commented Oct 28, 2020

Done, thank you!

@aveao

This comment has been minimized.

Copy link

@aveao aveao commented Oct 28, 2020

Look, I hate Github and RIAA as much as the next person, but considering Github has done what was legally required by them (which is the result of the fucked up US copyright system and RIAA utilizing it) and is taking steps to help out youtube-dl (1, 2, 3), don't you think that it's a bit far to do this?

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 28, 2020

Well if GitHub have said that they won't fix it, we're not doing anything wrong by exploiting it. Obviously it's by design.

@Mhowser

This comment has been minimized.

Copy link

@Mhowser Mhowser commented Oct 28, 2020

They both deserve it for pulling this crap off in the first place, IMO. The RIAA's bogus claim and Github's shoot first ask questions later policy.

This whole situation should be a valuable lesson as to why you don't 'put all your eggs in one basket'. Youtube-dl should have ditched Github as their main development repository and went with something decentralized.

@aveao

This comment has been minimized.

Copy link

@aveao aveao commented Oct 28, 2020

That's not Github's policy. That's just how DMCA works. I don't like it either, but we should work on fighting against DMCA, not against Github for following DMCA.

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 28, 2020

YouTube DL have a mirror repo on GitLab...

@Mhowser

This comment has been minimized.

Copy link

@Mhowser Mhowser commented Oct 28, 2020

I know that, it is just a mirror, not the main repository where all the package updates, PRs and issues are.

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 28, 2020

True, but at least there's a place to find it.

Even so, RIAA would likely file a DMCA to GitLab if it was the main repo.

@ftupas

This comment has been minimized.

Copy link

@ftupas ftupas commented Oct 28, 2020

man this is brilliant, I was down when they took down youtube-dl but this made my day! Kudos

@stephen304

This comment has been minimized.

Copy link

@stephen304 stephen304 commented Oct 28, 2020

@lrvick

youtubedl2: still up https://github.com/github/dmca//tree/19441f8f51759e59df62f667791385034564c5be

Can't see yours @stephen304.

You don't need a PR. You just need to still have a copy of the forked dmca repo on your account (or have commented on it on their account to "lock" it to their account)

The commits I pulled in are still there too: https://github.com/github/dmca/tree/416da574ec0df3388f652e44f7fe71b1e3a4701f

Youtube-dl2's PR was deleted too, mine was 8142, youtube-dl2's was 8146. I know the PRs aren't necessary, but maybe a sign that they are getting around to cleaning up this mess.

Edit: Worth noting that my merge commit was also deleted it seems: github/dmca@9bf7cff

But youtube-dl2's merge commit is still present: github/dmca@b018a9e

@Zorono

This comment has been minimized.

Copy link

@Zorono Zorono commented Oct 28, 2020

1,

I loved Github's situation where they're supporting youtube-dl but really they must fix those critical security bugs soon!

@lrvick

This comment has been minimized.

Copy link
Owner Author

@lrvick lrvick commented Oct 28, 2020

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

If you note, GitHub is not running around deleting the thousands of new youtube-dl copies. They deleted the ones listed in the DMCA request. Now it is the burdon of the RIAA to go find and list every single one of these new copies for a new request which is not going to be easy now.

The impersonation bit is not useful, but also does no harm. That is just there because it is funny, and brings more attention to security and social engineering issues github refuses to fix as a bonus. They -do- deserve to be trolled for security issues they won't fix.

We may also be giving Github the ability to reply to a potential additional report from the RIAA that they literally are unable to rapidly comply due to the volume of the repos being added, and the complexity and removing them from some of the locations they are added.

If anything we are just complicating the entire process for the RIAA and GitHub to make censorship impractical and likely forcing it into a standoff until the pending lawsuits against the RIAA to fight back against this nonsense run their course.

This is just a non destructive form of protest to make censorship difficult if not impossible. The more people that do it, the less likely the RIAA will have the time or resources to even attempt a round #2.

@Mhowser

This comment has been minimized.

Copy link

@Mhowser Mhowser commented Oct 28, 2020

1920px-Sample_09-F9_protest_art,_Free_Speech_Flag_by_John_Marcotte svg
Remember our flag lads!

@aveao

This comment has been minimized.

Copy link

@aveao aveao commented Oct 28, 2020

@lrvick

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

No, it bothers Github staff, not RIAA.

If you note, GitHub is not running around deleting the thousands of new youtube-dl copies. They deleted the ones listed in the DMCA request. Now it is the burdon of the RIAA to go find and list every single one of these new copies for a new request which is not going to be easy now.

Yes, but now github has to worry because their employees are being impersonated, and it being pushed into stuff like github/dmca means that their own repos might get dmca'd improperly. One could argue that the latter one is good as it means that it gives Github incentive to fix the issues regarding showing commits from other repos.

The impersonation bit is not useful, but also does no harm. That is just there because it is funny, and brings more attention to security and social engineering issues github refuses to fix as a bonus. They -do- deserve to be trolled for security issues they won't fix.

This is literally by design on git. You're not even successfully impersonating them. It clearly says that signature doesn't match. The only way to fix this would be to have a "don't allow pushes with my name without a valid signature" (which I'm all for) or to have a non-standard git change or something, and I don't think any of us want that latter one.

We may also be giving Github the ability to reply to a potential additional report from the RIAA that they literally are unable to rapidly comply due to the volume of the repos being added, and the complexity and removing them from some of the locations they are added.

I'll answer you with you:

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

If anything we are just complicating the entire process for the RIAA and GitHub to make censorship impractical and likely forcing it into a standoff until the pending lawsuits against the RIAA to fight back against this nonsense run their course.

You're just putting more work on Github employees to try and clean this up by deleting PRs and maybe on RIAA lawyers. Latter part is kinda neat I guess, but...

This is just a non destructive form of protest to make censorship difficult if not impossible. The more people that do it, the less likely the RIAA will have the time or resources to even attempt a round #2.

(This is a reply to last 2 quotes) Let's be honest: This is different from 09f9. This is not about the code. Youtube-dl breaks whenever the website changes, and obviously requires fixes. RIAA took down all maintained repos, and as soon as youtube updates the website, the code that's being passed around will be useless (for YouTube at least). If a new maintained repo pops up with fixes, all RIAA will need to do is take that down. Obviously this can turn into a cat and mouse where a new repo is made after one goes down, but it will still nuke issues and PRs every single time, and this will harm the project.

The best thing one could do for youtube-dl would be to provide them legal support or provide a space for a maintained repo to exist without fear of getting DMCA'd (though that might be illegal, IANAL).

@Fanboy-Studios

This comment has been minimized.

Copy link

@Fanboy-Studios Fanboy-Studios commented Oct 29, 2020

Has this been fixed? It's not working for me.

git push -f origin master
Warning: Permanently added the RSA host key for IP address 'xxx.xx.xxx.x' to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

@Mhowser

This comment has been minimized.

Copy link

@Mhowser Mhowser commented Oct 29, 2020

@lrvick

This comment has been minimized.

Copy link
Owner Author

@lrvick lrvick commented Oct 29, 2020

@aveao Github does not need to change git itself here. All they need to do is deny pushes if the user.email on your commit does not match the email on the account associated with the ssh key you are using to push. People that want to push code on behalf of other people can use "git commit --author" as designed. Naturally any unsigned commits should still show a red loud warning like browsers show for unsigned (non https) websites.

Also GitHub was asked by the RIAA to take down a specific set of repos which they did. Now the RIAA has to come up with a new (huge and ambiguous) set, but they likely won't because their current set is being challenged in court and they likely don't want to incur further damages because their claim itself is very clearly illegal, not the code. Taking down a project using the clause they did requires the project explicitly market itself for copyright infringement, and they claimed a few test cases is marketing, which they -clearly- knew was bullshit.

The power of DMCA to take down a repo is a double edged sword. You must comply right away on good faith, but if it turns out the claim was fraudulent or misrepresenting facts as the RIAA takedown here was, they can be counter sued for damages. They are going to lose this one.

Github does not have to do anything here but fix their own security bugs. The RIAA is however being sent a strong message that, legal or not, the internet will not stand for censorship of open source code and any attempts to do so will only motivate far more copies than they took down.

In the mean time Youtube-DL development has moved to Gitlab: https://gitlab.com/ytdl-org/youtube-dl

@starlingvibes

This comment has been minimized.

Copy link

@starlingvibes starlingvibes commented Oct 29, 2020

This is hilarious!

@Fanboy-Studios

This comment has been minimized.

Copy link

@Fanboy-Studios Fanboy-Studios commented Oct 30, 2020

https://github.com/github/dmca/tree/301575613bfc161452306db20593c5f5644b4b6f

Uploaded a copy of YouTube-DL and added a little something special to the readme...

@stephen304

This comment has been minimized.

Copy link

@stephen304 stephen304 commented Oct 30, 2020

It's interesting that they've been deleting PRs that pull in ytdl or warez, but not actually deleting the commits. I wonder if their strategy is to just delete PRs that make it easy to find and hope people forget that the commits are still there.

Here is one of the things that was added, where the PR was deleted but the content is still up: https://github.com/github/dmca/blob/ee25b981597634616eafce210df4d67bacf661ff/cool_stuff/github-sources.txt

@dashboarder

This comment has been minimized.

Copy link

@dashboarder dashboarder commented Oct 31, 2020

Hi. This is a bit offtopic: I was trying to push iBoot leaked source code. It fails anyways

$ git remote add origin git@github.com:dashboarder/dmca                          
$ git push -f origin master                          
The authenticity of host 'github.com (192.XX.XXX.XXX)' can't be established.                                
RSA key fingerprint is SHA256:nThbg6kXXXXXXXXX.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'github.com,192.XX.XXX.XXX' (RSA) to the list of known hosts.
ERROR: Repository not found.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$ git remote remove origin                            $ git remote add origin git@github.com:github/dmca
$ git push -f origin master
ERROR: Permission to github/dmca.git denied to dashboarder.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
$

Do I need to fork one first?

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Oct 31, 2020

@dashboarder

Go back to the gist and read step 1.

@dashboarder

This comment has been minimized.

Copy link

@dashboarder dashboarder commented Oct 31, 2020

@dashboarder

This comment has been minimized.

Copy link

@dashboarder dashboarder commented Oct 31, 2020

Also, I discovered that it's just viewing forked commit from base repository, no exploit.

@dashboarder

This comment has been minimized.

Copy link

@dashboarder dashboarder commented Oct 31, 2020

I used github web editor, and just replace in link my account name with github https://github.com/github/dmca/blob/ab01c3c266164d695f5fdf8aa1776ccf13941284/what_u_see_was_from_forked_repo.txt

@davwheat

This comment has been minimized.

Copy link

@davwheat davwheat commented Nov 4, 2020

@NobleDraconian

This comment has been minimized.

Copy link

@NobleDraconian NobleDraconian commented Nov 4, 2020

This is absolutely comedy gold. 😂

@09F911029D74E35BD84156C5635688plusC0

This comment has been minimized.

Copy link

@09F911029D74E35BD84156C5635688plusC0 09F911029D74E35BD84156C5635688plusC0 commented Nov 4, 2020

@Zorono

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.