Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Trolling Github's DMCA repo with their own security flaws.

Add new Youtube-dl copy to DMCA repo

  1. Fork https://github.com/github/dmca
  2. Download latest youtube-dl source code from https://yt-dl.org/latest
  3. Extract
    tar -xvf youtube-dl-2020.09.20.tar.gz
    
  4. Push code to your fork as the GitHub CEO
    cd youtube-dl-2020.09.20
    git init
    git add .
    git config user.email "nat@github.com"
    git config user.name "Nat Friedman"
    git commit -m "Your message to the RIAA and GitHub Here"
    git remote add origin git@github.com:YOURUSER/dmca
    git push -f origin master
    
  5. Get new URL to share!
    echo "https://github.com/github/dmca/tree/$(git rev-parse HEAD)"
    

Clone hidden repo from DMCA repo:

git clone -n https://github.com/github/dmca.git youtube-dl
cd youtube-dl
git fetch origin 416da574ec0df3388f652e44f7fe71b1e3a4701f
git checkout FETCH_HEAD
@stephen304
Copy link

stephen304 commented Oct 28, 2020

I noticed that they removed my PR as well as one made by youtube-dl2 (both seem to be the only 2 that involved youtube-dl commits), maybe that could be related. This has been left up wayy longer than I thought it would be.

@lrvick
Copy link
Author

lrvick commented Oct 28, 2020

youtubedl2: still up https://github.com/github/dmca//tree/19441f8f51759e59df62f667791385034564c5be

Can't see yours @stephen304.

You don't need a PR. You just need to still have a copy of the forked dmca repo on your account (or have commented on it on their account to "lock" it to their account)

@lrvick
Copy link
Author

lrvick commented Oct 28, 2020

@09F911029D74E35BD84156C5635688plusC0 that simply looks like you didn't setup any ssh keys on your account?

This should not be empty: https://github.com/09F911029D74E35BD84156C5635688plusC0.keys

@09F911029D74E35BD84156C5635688plusC0

Done, thank you!

@aveao
Copy link

aveao commented Oct 28, 2020

Look, I hate Github and RIAA as much as the next person, but considering Github has done what was legally required by them (which is the result of the fucked up US copyright system and RIAA utilizing it) and is taking steps to help out youtube-dl (1, 2, 3), don't you think that it's a bit far to do this?

@davwheat
Copy link

davwheat commented Oct 28, 2020

Well if GitHub have said that they won't fix it, we're not doing anything wrong by exploiting it. Obviously it's by design.

@Mhowser
Copy link

Mhowser commented Oct 28, 2020

They both deserve it for pulling this crap off in the first place, IMO. The RIAA's bogus claim and Github's shoot first ask questions later policy.

This whole situation should be a valuable lesson as to why you don't 'put all your eggs in one basket'. Youtube-dl should have ditched Github as their main development repository and went with something decentralized.

@aveao
Copy link

aveao commented Oct 28, 2020

That's not Github's policy. That's just how DMCA works. I don't like it either, but we should work on fighting against DMCA, not against Github for following DMCA.

@davwheat
Copy link

davwheat commented Oct 28, 2020

YouTube DL have a mirror repo on GitLab...

@Mhowser
Copy link

Mhowser commented Oct 28, 2020

I know that, it is just a mirror, not the main repository where all the package updates, PRs and issues are.

@davwheat
Copy link

davwheat commented Oct 28, 2020

True, but at least there's a place to find it.

Even so, RIAA would likely file a DMCA to GitLab if it was the main repo.

@ftupas
Copy link

ftupas commented Oct 28, 2020

man this is brilliant, I was down when they took down youtube-dl but this made my day! Kudos

@stephen304
Copy link

stephen304 commented Oct 28, 2020

@lrvick

youtubedl2: still up https://github.com/github/dmca//tree/19441f8f51759e59df62f667791385034564c5be

Can't see yours @stephen304.

You don't need a PR. You just need to still have a copy of the forked dmca repo on your account (or have commented on it on their account to "lock" it to their account)

The commits I pulled in are still there too: https://github.com/github/dmca/tree/416da574ec0df3388f652e44f7fe71b1e3a4701f

Youtube-dl2's PR was deleted too, mine was 8142, youtube-dl2's was 8146. I know the PRs aren't necessary, but maybe a sign that they are getting around to cleaning up this mess.

Edit: Worth noting that my merge commit was also deleted it seems: github/dmca@9bf7cff

But youtube-dl2's merge commit is still present: github/dmca@b018a9e

@Zorono
Copy link

Zorono commented Oct 28, 2020

1,

I loved Github's situation where they're supporting youtube-dl but really they must fix those critical security bugs soon!

@lrvick
Copy link
Author

lrvick commented Oct 28, 2020

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

If you note, GitHub is not running around deleting the thousands of new youtube-dl copies. They deleted the ones listed in the DMCA request. Now it is the burdon of the RIAA to go find and list every single one of these new copies for a new request which is not going to be easy now.

The impersonation bit is not useful, but also does no harm. That is just there because it is funny, and brings more attention to security and social engineering issues github refuses to fix as a bonus. They -do- deserve to be trolled for security issues they won't fix.

We may also be giving Github the ability to reply to a potential additional report from the RIAA that they literally are unable to rapidly comply due to the volume of the repos being added, and the complexity and removing them from some of the locations they are added.

If anything we are just complicating the entire process for the RIAA and GitHub to make censorship impractical and likely forcing it into a standoff until the pending lawsuits against the RIAA to fight back against this nonsense run their course.

This is just a non destructive form of protest to make censorship difficult if not impossible. The more people that do it, the less likely the RIAA will have the time or resources to even attempt a round #2.

@Mhowser
Copy link

Mhowser commented Oct 28, 2020

1920px-Sample_09-F9_protest_art,_Free_Speech_Flag_by_John_Marcotte svg
Remember our flag lads!

@aveao
Copy link

aveao commented Oct 28, 2020

@lrvick

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

No, it bothers Github staff, not RIAA.

If you note, GitHub is not running around deleting the thousands of new youtube-dl copies. They deleted the ones listed in the DMCA request. Now it is the burdon of the RIAA to go find and list every single one of these new copies for a new request which is not going to be easy now.

Yes, but now github has to worry because their employees are being impersonated, and it being pushed into stuff like github/dmca means that their own repos might get dmca'd improperly. One could argue that the latter one is good as it means that it gives Github incentive to fix the issues regarding showing commits from other repos.

The impersonation bit is not useful, but also does no harm. That is just there because it is funny, and brings more attention to security and social engineering issues github refuses to fix as a bonus. They -do- deserve to be trolled for security issues they won't fix.

This is literally by design on git. You're not even successfully impersonating them. It clearly says that signature doesn't match. The only way to fix this would be to have a "don't allow pushes with my name without a valid signature" (which I'm all for) or to have a non-standard git change or something, and I don't think any of us want that latter one.

We may also be giving Github the ability to reply to a potential additional report from the RIAA that they literally are unable to rapidly comply due to the volume of the repos being added, and the complexity and removing them from some of the locations they are added.

I'll answer you with you:

For those suggesting this is "too far" it really trolls the RIAA more than GitHub.

If anything we are just complicating the entire process for the RIAA and GitHub to make censorship impractical and likely forcing it into a standoff until the pending lawsuits against the RIAA to fight back against this nonsense run their course.

You're just putting more work on Github employees to try and clean this up by deleting PRs and maybe on RIAA lawyers. Latter part is kinda neat I guess, but...

This is just a non destructive form of protest to make censorship difficult if not impossible. The more people that do it, the less likely the RIAA will have the time or resources to even attempt a round #2.

(This is a reply to last 2 quotes) Let's be honest: This is different from 09f9. This is not about the code. Youtube-dl breaks whenever the website changes, and obviously requires fixes. RIAA took down all maintained repos, and as soon as youtube updates the website, the code that's being passed around will be useless (for YouTube at least). If a new maintained repo pops up with fixes, all RIAA will need to do is take that down. Obviously this can turn into a cat and mouse where a new repo is made after one goes down, but it will still nuke issues and PRs every single time, and this will harm the project.

The best thing one could do for youtube-dl would be to provide them legal support or provide a space for a maintained repo to exist without fear of getting DMCA'd (though that might be illegal, IANAL).

@FanboyStudios
Copy link

FanboyStudios commented Oct 29, 2020

Has this been fixed? It's not working for me.

git push -f origin master
Warning: Permanently added the RSA host key for IP address 'xxx.xx.xxx.x' to the list of known hosts.
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

@Mhowser
Copy link

Mhowser commented Oct 29, 2020

@lrvick
Copy link
Author

lrvick commented Oct 29, 2020

@aveao Github does not need to change git itself here. All they need to do is deny pushes if the user.email on your commit does not match the email on the account associated with the ssh key you are using to push. People that want to push code on behalf of other people can use "git commit --author" as designed. Naturally any unsigned commits should still show a red loud warning like browsers show for unsigned (non https) websites.

Also GitHub was asked by the RIAA to take down a specific set of repos which they did. Now the RIAA has to come up with a new (huge and ambiguous) set, but they likely won't because their current set is being challenged in court and they likely don't want to incur further damages because their claim itself is very clearly illegal, not the code. Taking down a project using the clause they did requires the project explicitly market itself for copyright infringement, and they claimed a few test cases is marketing, which they -clearly- knew was bullshit.

The power of DMCA to take down a repo is a double edged sword. You must comply right away on good faith, but if it turns out the claim was fraudulent or misrepresenting facts as the RIAA takedown here was, they can be counter sued for damages. They are going to lose this one.

Github does not have to do anything here but fix their own security bugs. The RIAA is however being sent a strong message that, legal or not, the internet will not stand for censorship of open source code and any attempts to do so will only motivate far more copies than they took down.

In the mean time Youtube-DL development has moved to Gitlab: https://gitlab.com/ytdl-org/youtube-dl

@starlingvibes
Copy link

starlingvibes commented Oct 29, 2020

This is hilarious!

@FanboyStudios
Copy link

FanboyStudios commented Oct 30, 2020

https://github.com/github/dmca/tree/301575613bfc161452306db20593c5f5644b4b6f

Uploaded a copy of YouTube-DL and added a little something special to the readme...

@stephen304
Copy link

stephen304 commented Oct 30, 2020

It's interesting that they've been deleting PRs that pull in ytdl or warez, but not actually deleting the commits. I wonder if their strategy is to just delete PRs that make it easy to find and hope people forget that the commits are still there.

Here is one of the things that was added, where the PR was deleted but the content is still up: https://github.com/github/dmca/blob/ee25b981597634616eafce210df4d67bacf661ff/cool_stuff/github-sources.txt

@davwheat
Copy link

davwheat commented Oct 31, 2020

@dashboarder

Go back to the gist and read step 1.

@davwheat
Copy link

davwheat commented Nov 4, 2020

@NobleDraconian
Copy link

NobleDraconian commented Nov 4, 2020

This is absolutely comedy gold. 😂

@09F911029D74E35BD84156C5635688plusC0

@Zorono
Copy link

Zorono commented Nov 6, 2020

@FanboyStudios
Copy link

FanboyStudios commented Dec 2, 2020

LOL!? https://www.zdnet.com/google-amp/article/github-denies-getting-hacked/

Maybe I should contact zdnet and tell them myself about my experience hacking them... that would be hilarious if GitHub then replies denying hard evidence from a few of us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment