youtubedown

If you use youtubedown, please grab the new version.

I think I've gotten a slightly better understanding of what Youtube is up to with this enciphered signature nonsense, and I'm trying a new method of dealing with it.

If you send me the errors printed for any videos that it can't download, that will be very helpful.


I think that what's going on is not that the ciphers are keyed off of the length of the signature, but rather, than they are just periodically changing the cipher algorithm, so the only way to know what algorithm to use is to have hardcoded knowledge of what is implemented in whatever version of "html5player.js" is getting loaded today (currently "html5player-vfl_ymO4Z.js".)

This means that every time they change the algorithm, I'll have to update the code in youtubedown. I don't know how frequently they're doing that, but that's some bullshit.

Maybe there's a way to parse this out from the Javascript, but since they've obfuscated and minimized it, the name of the decipherment routine changes.

I still have no idea how the signatures in get_video_info are to be deciphered. If there's a clue in there as to what algorithm is in use, I haven't spotted it.

Tags: , , , , , ,

Surprisingly, headline ending with a question mark, but the answer is yes!

"Can Apple read your iMessages?"

I spent the past week weighing the evidence and believe it's an overstatement for Apple to say that only the sender and receiver of iMessage and FaceTime conversations can see and read their contents. There are several scenarios in which Apple employees, either at the direction of an NSA order or otherwise, could read customers' iMessage or FaceTime conversations, and I'll get to those in a moment. But first, I want to make it clear that my conclusion is based on so-called black-box testing, which examines the functionality of an application or service with no knowledge of their internal workings. No doubt, Apple engineers have a vastly more complete understanding, but company representatives declined my request for more information. [...]

"In the case of iMessage intercept capabilities, Apple is taking a page from Skype's playbook -- make very carefully worded statements about the existence of encryption, and then let people read far more into their claims than they have actually made," Chris Soghoian, who is principal technologist and senior policy analyst for the American Civil Liberties Union, told Ars. "When reading Apple's carefully worded PRISM denial, remember it was written by a hybrid team of lawyers and PR folks. Every word matters. At best, they are being cagey, at worst, outright deceptive."

Previously, previously.

Tags: , , ,

How to Drink in Antarctica

An Antarctic Recipe: Enhanced Sangria:

  1. Accidentally freeze an entire airdrop pallet of wine so that you have enough broken bottles that need to be consumed NOW so that this recipe's portions make sense.

  2. Procure a reasonably clean 5 gallon bucket. At the very least, a bucket free of detritus. Add the booze in the right order and you don't have to worry much about disinfecting things.

  3. Add one 750ml bottle, each, of the following boozes: gin, light rum, tequila, triple sec, vodka.

  4. Add three bags of frozen fruit and several sliced oranges. Fresh fruit won't last forever and you might as well use it here instead of throwing it out.

  5. Fill the remainder of bucket with red wine. Try to strain out the broken glass, chunks of cork, and label before dropping them in.

  6. Let sit for roughly 24 hours. DO NOT PUT THE BUCKET OUTSIDE IN THE SUBZERO TEMPS. Freezing things is why you're making this in the first place.

  7. Hide the sharp implements and serve to the unsuspecting by the pitcher.

NOTE: A single person should not consume an entire pitcher of this.

This recipe can be easily scaled up to for 55gal Rubbermaid wheelie trashcan. I know this because we had more frozen wine left over and repeated the experiment on a more epic scale.

Also, a really interesting longer essay on the culture of drunkenness down there:

Alcoholism in Antarctica:

I once gave a presentation to an Alcoholics Anonymous meeting where I opened, "Hi, I'm Phil Broughton. I'm not an alcoholic but I am a compulsive bartender." From there, I told a tale of alcoholism and enabling from the perspective of a safety professional serving people booze to oblivion. [...]

I recall pouring glass after glass of Crown Royal for a person that, against all odds, was still managing to sit on a stool and semi-coherently ask for another drink. There were three people that individually pulled me aside and said, "Dude. STOP SERVING HIM. He is so far gone it's not even funny." Assuming they remember, as it was a decade ago, they were drinking too, and the ravages of hypothyroidism in Antarctica on memory, they probably still blame me for serving irresponsibly. I had a different perspective. I try to keep in mind and control the most serious danger and deal with the other ones as they come up. The most dire danger in Antarctica is always failure to respect the absolutely lethal environment of Antarctica itself. I was far happier to serve until I could guide him over to a couch to pass out than to see him stagger out into the -85F night. I was doubly happy to be serving him in the bar rather than have him get to this state, or worse, alone where something dumb/wrong might happen and no one would be able to help him until it was far too late.

Previously, previously, previously, previously, previously, previously.

Tags: ,

Youtube download counter-countermeasures applied

I have worked around Youtube's latest obfuscation. You can again download all videos and playlists with my youtubedown script and bookmarklet.

Let me know if you find any that still don't work.

Great googly-moogly, that was a pain in the ass!

There's a get_video_info that tells you the URLs for the various resolutions of video data of a Youtube clip, in JSON form. Back in 2012, they changed it so that you had to take the provided "sig=" parameter and append it to the video URL before it would work. This signature appears to be a hash of some of the parameters to the URL (similar to what OAuth does) and the video-data URLs give you a 403 without it.

Within the last few months, they've started rolling out a new glitch where sometimes the signature (which is now "s=" instead of "sig=") is tagged with "use_cipher_signature", and... it's enciphered. Just enciphered. No actual crypto: simply a character-position-swapping cipher! These enciphered sigs come in lengths from 82 to 88 bytes, and you have to re-order and drop characters in particular ways to get them down to the 81-byte original signature. Each length seems to have a different algorithm, unless there's an overarching pattern that I haven't spotted.

It's purely security-through-obscurity! What a dick move.

Anyway, there's another kink on top of this: the enciphered signatures in the JSON don't work. The info about URL sources exists in both the get_video_info JSON, and also inside the HTML page itself, embedded as JavaScript. It's the same information, but with slightly different URLs and corresponding signatures. Obviously parsing the JSON is easier and saner than scraping JavaScript out of an HTML page, but... the URL/signature pairs in the JSON don't work, while the URL/signature pairs in the JavaScript do. So when you load the JSON, and find that the signature is enciphered, you have to punt on that data you already have and fall back on re-parsing the HTML instead.

What is this I don't even.

For laughs, check out the decipher_sig() function.

Now I have to wait for Miro to play catch-up and deploy a similar fix. I'm not holding my breath, because they still haven't released even a nightly build that includes the fix for downloading restricted Vimeo videos that I explained to them over a year ago. Sigh.

Previously.

Tags: , , , , , ,

DNA Lounge update

DNA Lounge update, wherein we show you our drawers.
Tags:

Mecharachnid

Justin Gershenson-Gates:



Previously, previously, previously.
Tags: ,

Pointy

Previously, previously.

Tags: , ,

"I am a medical robot. Please put the gun down."

Dr. Easy

Previously, previously, previously, previously, previously, previously, previously, previously.

Tags: , , ,

RSS Apocalypse Update: Newsify

I've been using the Newsify iPad/iPhone reader app today and it's pretty good! It uses the Feedly servers but is much better than the Feedly app.

Good:

  • Lets me use light text on a dark background.
  • Has preferences for fonts and font size.
  • Lets me display things oldest-first.
  • The "Unread" button is visible and on-screen all the time.
  • Hasn't crashed yet.

Bad:

  • The "Next" button is tiny and on the bottom not-even-all-the-way right.
  • No way to zoom in on images.
  • The icons that the "Unread" button uses for read versus unread are the same color and almost identical looking. I don't remember which is which.
  • "Mail" sends the whole HTML of the article instead of just the link. And the link goes at the bottom of the mail.
  • Still no OSX app.

You can also set it up so that swipe-right does "Next" but that doesn't work any better here than it does in the Feedly app.

Why don't designers of readers realize that "Next" is the single most important command in the UI? Why do they always make it hard to execute?

The "Next" button should be the easiest target on the screen to hit, and without having to visually search for it, and it should be accessible from either side, so you can fat-thumb the damned thing no matter which hand you're holding your sandwich in. Clickable nav areas should be huge, like this:

Prev
Body
Prev
Next
Next


Update: Having used it for almost a week, here are the things about Newsify that drive me crazy.

  • The "Next" button, obviously.
  • When you click Next, it takes nearly a full second running an animation that slides the new page in. I'm tired of waiting for that noise. Just show me the next article already.

  • You can't click Next until that animation has completed and the next article has fully loaded. If I click Next three times fast, I expect it to advance 3 pages, not 1.

I see that the iPhone (but not iPad) version of Reeder has been updated to support Feedly. Once he gets the iPad and desktop versions of that working again, I may switch back to that. Until then, though, Newsify seems to be the best opton.


Previously.

Tags: , , , ,

Marbles

Ingrid Berthon-Moine

Previously, previously, previously, previously, previously, previously, previously.
Tags: , , ,