Nsig/sig - Special tokens which must be passed to API calls, generated by code in base.js (player code). This is what has broken for yt-dlp and other third party clients. Instead of extracting the code that generates those tokens (eg using regular expressions) like we used to, we now need to run the whole base.js player code to get these tokens because the code is spread out all over the player code.
PoToken - Proof of origin token which Google has lately been enforcing for all clients, or video requests will fail with a 403. On android it uses DroidGuard, for IOS, it uses built in app integrity apis. For the web it requires that you run a snippet of javascript code (the challenge) in the browser to prove that you are not a bot. Previously, you needed an external tool to generate these PoTokens but with the Deno change yt-dlp should be capable of producing these tokens by itself in the near future.
SABR - Server side adaptive bitrate streaming, used alongside Google's UMP protocol to allow the server to have more control over buffering, given data from the client about the current playback position, buffered ranges, and more. This technology is also used to do server-side ad injection. Work is still being done to make 3rd party clients work with this technology (sometimes works, sometimes doesn't).
>If you ever wondered why the likes of Google and Cloudflare want to restrict the web
I disagree with the framing of "us vs them".
It's actually "us vs us". It's not just us plebians vs FAANG giants. The small-time independent publishers and creators also want to restrict the web because they don't want their content "stolen". They want to interact with real humans instead of bots. The following are manifestations of the same fear:
- small-time websites adding Anubis proof-of-work
- owners of popular Discord channels turning on the setting for phone # verification as a requirement for joining
- web blogs wanting to put a "toll gate" (maybe utilize Cloudflare or other service) to somehow make OpenAI and others pay for the content
We're long past the days of colleagues and peers of ARPANET and NFSNET sharing info for free on university computers. Now everybody on the globe wants to try to make a dollar, and likewise, they feel dollars are being stolen from them.
But this, too, skips over some nuance. There are a few types of actors here:
- small content creators who want to make their content accessible to individuals
- companies that want to gobble up public data and resell it in a way that destroys revenue streams for content creators
- gatekeepers like Cloudflare who want to ostensibly stop this but will also become rent-extractors in the process
- users who should have the right to use personal tools like yt-dlp to customize their viewing experience, and do not wish to profit at the expense of the creators
We should be cautious both that the gatekeepers stand to profit from their gatekeeping, and that their work inhibits users as well.
If creators feel this type of user (often a dedicated fan and would-be promoter) is a necessary sacrifice to defend against predatory data extractors… then that’s absolutely the creator’s choice, but you can’t say there’s a unified “us” here.
But then it's not (small creators + users) vs. the other parties you listed. Small creators, like small business, often exhibit the worst kinds of greed and exploitative behavior.
Also there's a lot of misalignment between users and providers at the cultural level - the society is yet to fully process the implications of "digital revolution" (and copyright industry meddling with everything isn't helping). A big chunk of that boils down to the same thing that started "the war on general-purpose computing": producers have opinions on how their products should be used, and want to force consumers to only use them as prescribed.
Whether it's because they want to exploit the consumers through a side channel (e.g. ads), or to "protect intellectual property", or because they see artistic value in the integrity of their creation, or because they think they know better than customers - reasons are many, but underneath them all, is the core idea the society hasn't yet worked out: whether, and to what degree, are producers even morally entitled to that kind of control.
My personal answer is: they're not (nor they are to their old business models). But then it's producers, not consumers, who have all the money and control here.
Those were already public. The issue is AI bot ddos-ing the server. Not everyone has infinite bandwith.
> owners of popular Discord channels turning on the setting for phone # verification as a requirement for joining
I still think that Discord is a weird channel for community stuff. There's a lot of different format for communication, but people are defaulting to chat.
> web blogs wanting to put a "toll gate" (maybe utilize Cloudflare or other service) to somehow make OpenAI and others pay for the content
Paid contents are good (Coursera, O'Reilly, Udemy,...). But a lot of these services wants to have free powered by ads (for audience?).
---
The fact is, we have two main bad actors: AI companies hammering servers and companies that want to centralize content (that they do not create) by adding gatekeeping extension to standard protocols.
> Now everybody on the globe wants to try to make a dollar, and likewise, they feel dollars are being stolen from them.
I'm not in it for the dollar. I just want the licenses I put on my content/code to be respected, that's all. IOW, I don't what I put out there to be free forever (as in speech and beer) to be twisted and monetized by the people who re in this for the dollar.
I don’t feel like dollars are stolen from me. It’s more of companies abusing my goodwill to publish information online. From higher bills as a result of aggressive crawling, to copying my work and removing all copyright/licensing from the code. Sure, fair use and all, but when they return the same exact code it just makes me wonder.
Nowadays, producing anything feels like being the cows udder.
i want my content borrowed/shared, and I still need to be engaged in this stuff because the poorly behaved distributed bots that have arisen in the past year are trying to take boundless resources from my site(s), that I cannot afford.
> The small-time independent publishers and creators also want to restrict the web because they don't want their content "stolen".
I'm sure some music creators may have, years ago, been against CD recorders, or platforms like Napster or even IRC-based file transfer for sharing music. Hell, maybe they were even against VCRs back in the day. But they were misguided at best.
People who want to prevent computer users from freely copying data are, in this context at least, part of "them" rather than "us".
Duh. I've known this for decades. The biggest advocates for DRM I've known are small-time content creators: authors, video producers, musicians. They've been saying the same thing since the 90s: without things like DRM, their stuff would be pirated, and they'd like to earn a living doing what they love instead of grinding at a day job to support themselves while everybody benefits from their creative output. In addition, major publishers and record labels won't touch stuff that's been online because of the piracy risk. They don't want to make an investment in smaller creators without a return in the form of sales of copies. That last bit is less true of music now than it used to be because of streaming and stuff, but the principle still applies.
This is why the DMCA will never be repealed, DRM will never go away, and there is no future for general purpose computing. People want access digital content, but the creators of that content wouldn't release it at all if they knew that it could be copied endlessly by whomever receives it.
That isn't entirely true. Perhaps it's because small content creators aren't a monolithic group. There are a few who try the alternative approaches and succeed. For example, whenever buying ebooks, I first check if the author sells it directly or through small publishers. It's always a better deal if they do. Cheaper than what you pay on amzn, DRM-free and occasionally lifetime free updates (eg: The Kubernetes book by Nigel Poulton). Despite the lower price, the author gets most, if not all of what you pay. They're sometimes liberal with the sharing policy too. They ask you to not share it around in large numbers, while conceding that just a copy or two is expected. I find this to be a reasonable demand. Therefore I encourage people to buy a copy for themselves if they like the book.
I have heard someone trying this approach with music albums and succeeding at it. The album is more likely to go viral due to the easiness in sharing, while you'll always find consumers who volunteer to pay you. While the returns per copy is low, the large number of copies means that your profits may be higher than if it were DRM-encumbered. Musicians may also like the fact that there are no powerful middlemen that they have to contend with. In fact, this is what YouTube creators already do when they choose alternative monetization paths like Patreon.
What's really needed is for people to support and encourage this model and such creators. We used to earlier blame them saying that people choose convenience and short term savings over long term market health. But that's no longer applicable. People are so fed up with being exploited under consumerism that they've started boycotting these big players to regain their independence and self sufficiency. The real issue preventing open digital markets is just the lack of awareness of their existence. This message has to be spread somehow.
It's us vs them. What big corps want is fundamentally adversarial due to it's motivation. I like to think that humans can conceptually not be your enemy.
> The small-time independent publishers and creators also want to restrict the web because they don't want their content "stolen"
... or just keep their site on the Internet. There hasn't been any major progress on sanctioning bad actors - be it people running vulnerable IoT crap that ends up being taken over by a botnet, cybercriminals and bulletproof hosters, or nation state actors. As long as you don't attack targets from your own geopolitical class (i.e. Russians don't attack Russians, a lot of malware will just quit if it spots Russian locale), you can do whatever the fuck you want.
And that is how we end up with darknet services where you can trivially order a DDoS taking down a website you don't like or, if you manage to get your opponent's IP leaked during an online game, their residential IP address. Pay with whatever shitcoin you have, and no one is any wiser who the perpetrator is.
>The small-time independent publishers and creators also want to restrict the web
Oh really? Does Linus's Floatplane go to this extent to prevent users from downloading stuff? Does Nebula? Does whatever that gun youtuber's version of video site do this?
It’s like we are living in an affordability crisis and people are tired of 400 wealthy billionaires profiting from peoples largess in the form of free data/tooling.
When Nixon slammed the gold window shut so Congress could keep writing blank checks for Vietnam and the Great Society, it wasn't just some monetary technicality. It was the moment America broke its word to the world and broke something fundamental in us too. Suddenly money wasn't something you earned through sweat or innovation anymore. It became something politicians and bankers could conjure from thin air whenever they wanted another war, another corporate bailout, another vote-buying scheme.
Fast forward fifty years and smell the rot. That same fiscal recklessness Congress spending like drunken sailors while pretending deficits don't matter has bled into every pore of society. Why wouldn't it? When BlackRock scoops up entire neighborhoods with Fed-printed cash while your kid can't afford a studio apartment, people notice. When Tyson jacks up chicken prices to record profits while diners can't afford bacon, people feel it. And when some indie blogger slaps a paywall on their life's work because OpenAI vacuumed their words to train ChatGPT? That's the same disease wearing digital clothes.
We're all living in Nixon's hangover. The "us vs us" chaos you see Discord servers demanding your phone number, small sites gatekeeping against bots, everyone scrambling to monetize scraps that's what happens when trust evaporates. Just like the dollar became Monopoly money after '71, everything feels devalued now. Your labor? Worth less each year. Your creativity? Someone's AI training fuel. Your neighborhood? A BlackRock asset on a spreadsheet.
And Washington's still at it! Printing trillions to "save the economy" while inflation eats your paycheck alive. Passing trillion-dollar "infrastructure bills" that somehow leave bridges crumbling but defense contractors swimming in cash. It's the same old shell game: socialize the losses, privatize the gains. The factory worker paying $8 for eggs understands this. The nurse getting lectured about "wage spirals" while hospital CEOs pocket millions understands this. The teenager locking down their Discord because bots keep spamming scams? They understand this.
Weimar happened when money became meaningless. 1971 happened when promises became meaningless. What you're seeing now the suspicion, the barriers, the every-man-for-himself hustle is what bubbles up when people realize the whole system's running on fumes. The diner owner charging $18 for a burger isn't greedy. The blogger blocking AI scrapers isn't a Luddite. They're just building levees against a flood Washington started with a printing press half a century ago.
The tragedy is that we're all knee-deep in the same muddy water, throwing sandbags at each other while the real architects of this mess the political grifters, the Fed bankers, the extraction-engine capitalists watch dry-eyed from their high ground. Until we stop accepting their counterfeit money and their counterfeit promises, we'll keep drowning in this rigged game. The gold window didn't just close in '71. The whole damn social contract rusted shut.
19th-century factory towns sucked dick. Child labor, no safety nets, cholera outbreaks. Yeah, not exactly Disneyland. But that's not the argument. The gold standard didn't cause those horrors. Unchecked capitalism and shitty labor laws did. What gold did do was force a brutal honesty. You couldn't fake prosperity. If you wanted a war or a welfare program, you either taxed people directly or found the gold to pay for it. No printing press to hide the pain. Nixon's 1971 move didn't just detach the dollar from gold. It detached political accountability from fiscal reality. Every fucking crisis since '71 gets "solved" the same way: print, borrow, and kick the can. Gold didn't prevent recessions; it prevented this: a system where elites privatize gains but socialize losses. Your grandpa's $0.25/hour wage in 1950 bought 10 loaves of bread. Your $15/hour today buys 3 loaves. Your 401k inflates, your rent explodes, and Washington shrugs: "Inflation's transitory, bro!"
Gold "terrible"? Tell that to the single mom paying 40% of her paycheck to rent a BlackRock-owned apartment. Why's BlackRock her landlord? Because fiat made debt cheaper than dirt. They borrowed billions at 0% from the Fed, bought entire neighborhoods, and jacked rents. Under gold? Interest rates would've spiked, crushing their leveraged bets. But nah. We got "QE Infinity" instead. Today's policy is literally cronyism with extra steps: print to bail out banks which causes inflated assets which squeezes workers. Rinse. Repeat.
Wow. That was eloquent, and coherent, and depressing. I'd be grateful for someone to counter with something less dismal. Good things are still happening in the world. A positive future remains possible -- but we have to be able to imagine it to bring it into being.
They'd have to physically steal gold from people, and people would notice that. Or they could mine more gold, but that's hard. Or they could publicly and officially change the exchange rate (of dollars to gold), and people would notice that politicians make it go down, the same way that people notice when politicians make taxes go up (they notice way more than when prices other than taxes go up).
With the current system, they (the central bank) can just increase some people's numbers in some spreadsheets, and the effects are extremely indirect. Nominally this is in exchange for assets of equal value so the situation returns the normal after some time, but that hasn't been happening - the amount of money created this way has not been decreasing at any meaningful rate.
> And it would be impossible to bail out those bonds when they defaulted
Well the US hasn't defaulted so changing how a default works wouldn't really affect the trajectory we took. And a default would be pretty catastrophic either way.
Well the US isn't on the gold standard. If it was on the gold standard then it would have defaulted. That's why it moved off the gold standard.
Actually, by moving off the gold standard, it defaulted on dollars (at the time a kind of gold bond) rather than defaulting on dollar-denominated government bonds.
Nixon didn't abandon gold because economists suddenly discovered some brilliant new theory. He did it because the math had already sentenced the system to death. By August '71, Fort Knox was down to its last $11 billion in gold while foreign governments held at least $33 billion in paper dollars screaming for redemption. That's not a liquidity problem. That's a corpse with rigor mortis. And that's just the official tally; the real killer was the eurodollar market, that offshore shadow banking system nobody wanted to talk about, where another $50-70 billion in unredeemable IOUs were sloshing around. Meanwhile, Washington was drowning in $400 billion of federal debt with inflation hitting 6% which was a death spiral where every new bond issuance needed higher interest rates to attract suckers, which only accelerated the bleed-out. France wasn't just cashing checks; they were sending battleships to haul away physical gold while the Fed played musical chairs with reserves. Default wasn't a choice. It was inevitable. Nixon just picked how to default: either formally welch on bond payments (catastrophic) or slam the gold window shut (disguised catastrophe). He chose the quiet betrayal, letting the dollar become pure fiat so Congress could keep funding Vietnam and welfare programs without taxing a soul. That's the original sin. Not just breaking gold's back, but breaking the link between spending and accountability. Fast forward to today: $35 trillion in debt, BRICS nations stockpiling gold while ditching dollars, and your grocery bill doubling not because of "supply chains" but because we've spent fifty years printing to paper over every bad bet. Nixon didn't save the economy. He gave politicians a credit card with no limit and told your grandchildren to pick up the tab.
It didn't have enough gold to pay its bonds, so it could either keep the integrity of the dollars intact while defaulting on the bonds, or keep the integrity of the bonds (as measured in dollars) intact while defaulting on the dollars. The latter option allowed it to last a while longer before anyone would notice.
This choice was made some decades before the official day on which the gold standard ended. By 1971, it had already printed dollars to pay its bonds and didn't have nearly enough gold for foreign countries to be able to withdraw all their gold.
You're goddamn right corruption existed under gold. Nobody's claiming it was some purity paradise. But here's the difference: gold didn't enable systemic looting on a planetary scale. Gold didn't prevent sin. it prevented the industrialization of sin. The robber barons were sharks in a pond. Today's fiat-enabled oligarchs are gods reshaping reality. When you can print the fucking rules, accountability evaporates. That's why Nixon's 1971 decision wasn't just policy. It was an engraved invitation for the largest wealth transfer in human history.
Greed and corruption absolutely festered under the gold standard. Boss Tweed embezzled a fortune from New York City coffers, Vanderbilt strong-armed railroads, and Rockefeller crushed competitors with predatory pricing. But here's the huge distinction: gold acted like a leash on a rabid dog. It didn't kill the beast, but it kept it from devouring the whole goddamn village. When robber barons got too greedy in the 1800s, their schemes imploded under gold's brutal discipline. Jay Cooke's bank collapsed in 1873? No Fed stepped in with trillions in printed cash to resurrect his corpse. Markets purged the rot, losers ate shit, and the system reset in years. Not decades of zombie corporations propped up by cheap debt. Corruption back then was like a bar fight: bloody, ugly, but contained. Tweed stole existing gold coins. He couldn't order the Treasury to mint him a fresh fortune overnight.
Vanderbilt couldn't borrow billions at 0% interest from a central bank to buy every competitor; he had to convince investors with real profits, not financialized vapor. Fast-forward to today: fiat didn't invent greed. It weaponized it. LBJ funded Vietnam and the Great Society without raising taxes because the printer go brrr. BlackRock gobbles neighborhoods with Fed-subsidized debt while renters bleed. Tyson jacks food prices 20%, blames "inflation," and pockets record profits because fiat decouples prices from real value. Banks peddle toxic mortgages knowing the Fed will bail them out. Politicians pass $6T "stimulus" bills while your paycheck buys less bread than a 1950s factory worker's. That's the cancer Nixon unleashed in '71. Not corruption itself, but its metastasis into a globalized, systemic looting operation where elites privatize gains, socialize losses, and inflation becomes a tax on the powerless. Gold didn't stop crooks. It stopped crooks from becoming untouchable gods. The 1800s proved humans will always be greedy. Fiat just gave them the universe's credit card and told your grandkids to foot the bill.
Lately I've had to resort to buying avocados from Costco in those little plastic cups because whole avocados in many supermarkets in my region have started to spoil too quickly. Sad.
until people learn money, the concept, nothing will change. and that in turn will hardly happen while the bad guys own childhood (compulsory schooling).
I don't know, it's really hard to blame them. In a way, the next couple of years are going to be a battle to balance easy access to info with compensation for content creators.
The web as we knew it before ChatGPT was built around the idea that humans have to scavenge for information, and while they're doing that, you can show them ads. In that world, content didn't need to be too protected because you were making up for it in eyeballs anyway.
With AI, that model is breaking down. We're seeing a shift towards bot traffic rather than human traffic, and information can be accessed far more effectively and, most importantly, without ad impressions. So, it makes total sense for them to be more protective about who has access to their content and to make sure people are actually paying for it, be it with ad views or some other form of agreement.
Ads are coming to AI. The big AI push next will be context, your context all the time. Your phone will “help” and get all your data to OpenAI…
“It looks like you went for a run today? Good job, you deserve a treat! Studies show a little ice cream after a long run is effectively free calories! It just so happens the nearest Dairy Queen is running a promotion just for the next 30 minutes. I’m getting you directions now.”
It would not be that much of a problem if ads promoted healthy and tasty food but they will probably promote an ice-cream made from a powder and chemicals emulating taste of berries rather than from milk and fresh-picked berries.
It still would be. Loss of agency. Ads are text and images you see. Native advertising in a chatbot conversation is a third party bidding their way into your conversation. Machine showing you an ad versus injecting intention into your context are very different things.
Weird people talking about small time creators wanting DRM I've never seen that... Usually they'd be hounding for any attention? I don't know why multiple accounts are seemingly independently bringing this up, but maybe it is trying to muddy the waters? This concept?
At least for YouTube, viewbotting is very much a thing, which undermines trust in the platform. Even if we were to remove Google ads from the equation, there’s nothing preventing someone from crafting a channel with millions of bot-generated views and comments, in order to paid sponsor placements, etc.
The reasons are similar for Cloudflare, but their stances are a bit too DRMish for my tastes. I guess someone could draw the lines differently.
If any of this was done to combat viewbotting, then any disruption to token calculation would prevent views from being registered - not videos from being downloaded.
From my perspective both problems are effectively the same. I want to count unique users by checking for asset downloads and correlating unique session IDs. People can request the static assets directly, leading to view booting and waste of egress bandwidth.
The solution: have clients prove they are a legitimate client by running some computationally intensive JS that interacts with DOM APIs, etc. (which is not in any way unique to big tech, see Anubis/CreepJS etc.)
The impact on the hobbyist use case is, to them, just collateral damage.
No, the difference is: if I'm fighting viewbots, I want zero cues to be emitted to the client. The client should NEVER know whether its view is being counted or not, or why.
Having no reliable feedback makes it so much harder for a viewbotter to find a workaround.
If there's a visible block on video downloads? They're not fighting viewbots with that.
Youtube has already accounted for this by using a separate endpoint to count watch stats. See the recent articles about view counts being down attributed to people using adblockers.
Even if they hadn't done that, you can craft millions of bot-sponsored views using a legitimate browser and some automation and the current update doesn't change that.
So I'd say Occam's razor applies and Youtube simply wants to be in control of how people view their videos so they can serve ads, show additional content nearby to keep them on the platform longer, track what parts of the video are most watched, and so on.
If the content needs to be copied or downloaded in order to be watched, you may do so exclusively under terms set by the licensor, period. You may not even get fair use rights, as to get the content in the first place you might have to agree to terms of service waiving them, and being found to use the content in an unapproved way would be grounds for cutting off your access.
Like another comment mentioned: that's a problem for YouTube to solve.
They pay a lot of money to many smart people who can implement sophisticated bot detection systems, without impacting most legitimate human users. But when their business model depends on extracting value from their users' data, tracking their behavior and profiling them across their services so that they can better serve them ads, it goes against their bottom line for anyone to access their service via any other interface than their official ones.
This is what these changes are primarily about. Preventing abuse is just a side benefit they can use as an excuse.
There could be valid reasons for fighting downloaders, for example:
- AI companies scraping YT without paying YT let alone creators for training data. Imagine how many data YT has.
- YT competitors in other countries scraping YT to copy videos, especially in countries where YT is blocked. Some such companies have a function "move all my videos from YT" to promote bloggers migration.
> Like Google has been doing to the entire internet, including people’s movement, conversations, and habits… for decades?
Yes, but if you allowed to index your site (companies even spent money to make site better indexable), Google used to bring customers and AI companies bring back nothing. They are just freeloaders.
Music labels publish the music on YT in exchange for ad revenue, they won't be happy if someone would download their music for free, and making music is expensive, google how much just a single drum mic costs and you need lot of them.
YT shares income from subscriptions with music labels? I didn't hear about this, and even if they shared the download must be paid much higher than a view because after downloading a person could potentially listen for a track hundred times in a row.
Why is this being downvoted? Are people really gonna shoot the messenger and fail to why a company may be willing to protect their competitive position?
Everything trends towards centralization on a long enough period.
I laugh at people who think ActivityPub or Mastodon or BlueSky will save us. We already had that, it was called e-mail, look what happened once everyone started using it.
If we couldn't stop the centralization effects that occurred on e-mail, any attempt to stop centralization in general is honestly a utopian fool's errand. Regulation is easier.
I am a big supporter of AT Protocol, and I contribute some money to a fund to build on it. Why laugh at running experiments? Nothing will "save us," it is a constant effort as long as humans desire to use these systems to connect. Email exists today, and is very usable still as a platform that cannot be captured. The consolidation occurred because people do not want to run their own servers, so we should build for that! Bluesky and AT Protocol are experiments in building something different, with different use cases and capabilities, that also cannot be captured. Just like email. You can run your own PDS. You can run your own stack from PDS to users "end to end" if you so choose. You can pay to do both of these tasks. No one can buy this or take it away from you, if it is built on protocols instead of a platform someone can own and control.
Regulation would be great. The EU does it well. It is lacking in the US, and will be for some time. And so we have to downgrade to technical mitigations against centralization until regulation can meet the burden.
And barely a few days after google did it the fix is in.
Amazing how they simply couldn't win - you deliver content to client, the content goes to the client. Could be the largest corporation of the world and we still have yt-dlp.
That's why all of them wanted proprietary walled gardens where they would be able to control the client too - so you get to watch the ads or pay up.
Good question! Indeed you can run the challenge code using headless Chromium and it will function [1]. They are constantly updating the challenge however, and may add additional checks in the future. I suppose Google wants to make it more expensive overall to scrape Youtube to deter the most egregious bots.
I agree, in some cases and depending on LLM endpoint, some money may need to be spent to enable ripping. But is it cheaper than paying Youtube/Google? That is the question.
Once JavaScript is running, it can perform complex fingerprinting operations that are difficult to circumvent effectively.
I have a little experience with Selenium headless on Facebook. Facebook tests fonts, SVG rendering, CSS support, screen resolution, clock and geographical settings, and hundreds of other things that give it a very good idea of whether it's a normal client or Selenium headless. Since it picks a certain number of checks more or less at random and they can modify the JS each time it loads, it is very, very complicated to simulate.
Facebook and Instagram know this and allow it below a certain limit because it is more about bot protection than content protection.
This is the case when you have a real web browser running in the background. Here we are talking about standalone software written in Python.
This is just one element among many others. They probably have many available and others in reserve in case one becomes obsolete.
I recently discovered that audio codecs, frequencies, resolution, mix volume, etc. are accessible via JS in the browser and that this allows fingerprinting. Since we are talking about YouTube, the same type of technique should be possible with video codecs.
Because the expected values are not fixed, it is possible to measure response times and errors to check whether something is in the cache or not, etc.
There are a whole host of tricks relating to rendering and positioning at the edge of the display window and canvas rather than the window, which allow you to detect execution without rendering.
To simulate all this correctly, you end up with a standard browser, standard execution times, full rendering in the background, etc. No one wants to download their YouTube video at 1x speed and wait for the adverts to finish.
In sticking to vanilla HTML/CSS/Javascript for my hobby projects over the past ten years, I've come to enjoy writing "simple" code with minimal dependencies and bare-bones interfaces. I believe that the skills I've learned in doing so has benefited me many times since then, especially during the times when I needed a specific tool, ASAP, for my job as a biomedical researcher. Without having the need to look up documentation, tease apart the workings of frameworks, I've been able to make hyper-specific web based guis for image labeling and more, sometimes quicker and better than the programmers hired for these jobs, who would otherwise need constant communication and supervision to ensure that the correct thing is built.
A while back I installed uBlock on my grandparents' computer to help them avoid scammy ads. This change will make it more difficult and dangerous, for elderly users to browse the internet. As a young nerd, I can switch to Firefox easily, but I can't imagine it will be easy for everyone. My experience from using Firefox is that it has its own quirks, and comes with its own learning curve.
I don't know what to say but to encourage everyone to make some noise. Please let your representative know about this. Hopefully we can still put a stop to this before it's too late.
It was pretty straightforward for me to install and use yt-dlp. On a Mac with Homebrew you can do `brew install yt-dlp` to install it in one command. IIRC yt-dlp also provides binaries you can install directly. I'm not sure if installing docker and running a web server is any way easier than that.
However, there are ways to download Youtube videos without installing a native app. For example, it is possible to use a library like Youtube.js [0] to make a browser extension that downloads Youtube videos directly. You won't find those on Google's web store due to policy, but you can find a handful on Github.
The moov contains a list of byte offsets which the player can use to directly access media data. You can skip the moofs and other headers inside by using gaps in the offsets.
Having worked with some MP4 demuxing for my extension [1], I feel the pain. Lots of times I would play the video only to find inexplicable issues such as drifting audio. I highly recommend using an mp4 inspector tool, such as mp4box [2], to debug these issues.
Great article. I've always thought that pessimistic sci-fi dystopias were on the rise, but it turns out most still have positive endings. The observation about walking out of the theatre, and seeing the worst ahead of us is quite interesting.
It would be cool to compare with other, non sci-fi stories. EG: I have been noticing the rise of escapist fantasy narratives in popular media — wish fulfillment stories where a Mary Sue like main character rises above all challenges without struggle. You can see this particularly in light novels, manga, and anime in the now popularized "isekai", "cultivation", or "system progression" genres. It would be interesting to find out how the public's fascination with these types of stories correlate with economic, social, or political undulations in the real world.
Cyberpunk was always the “real sci-fi” in terms of what was actually going to happen wasn’t it? Murder drones, corporations having more power than nation states, the EU block becoming regulatory, climate havoc, the gig economy and a continuous restructuring of centralised society.
It also didn’t have a lot of happy endings. Because the world didn’t end, it just got continuesly shittier.
Some would argue we are already living Cyberpunk, just without all the cool stuff.
BTW, why single out "the EU block becoming regulatory" as something negative prophesied by Cyberpunk? I have recently watched a video about the timeline of Cyberpunk 2020/2077 (which is just one universe, granted), and the EU sounded like the only ones who had their shit together, even though they were facing sabotage from all directions.
The world of Cyberpunk RPG essentially has EU be a lot nicer NUSA, with considerable economical domination (thus the use of eurodollar, which was one of the names floated for what became Euro currency), Soviet Union as this really schizo place but which on basic human decency scores miles above post-USA America, and an alliance of African nations as the unexpected black horse who made huge resurgence in space (which also contains probably the only really "free" nations - the old ESA space habitats and their allies).
This is also reflected (and probably heavily influenced CP2077) in Ghost in the Shell, where European Union, in somewhat fluctuating alliance with Soviet Union, is probably among the best locations to live.
1. Browser extension has a wildcard pattern for content script.
2. Content script passes postMessage messages to the background script using sendMessage.
3. Background script passes the message to native application using sendNativeMessage.
4. Native application handles the message dangerously, leading to code execution.
Requirement 2 seems to be the most important. postMessage messages should never be passed to sendMessage raw without validation. Fortunately, this should be a rare occurrence in the wild. It only provides very specific benefits to use postMessage in an extension to begin with, and developers who do need to use it are more likely to be aware of the potential vulnerability.
> Fortunately, this should be a rare occurrence in the wild. It only provides very specific benefits to use postMessage in an extension to begin with, and developers who do need to use it are more likely to be aware of the potential vulnerability.
I'm not sure you're making a sound assessment of code quality in the wild. What a practiced and responsible engineer might do and what somebody slapping together an extension under deadline pressure or without a strong foundation in defensive practices might do are very different, and there's a lot of that latter stuff out there, some in wide use. That's why so much effort and attention is put into crafting systemic safeguards that (seek to ) prevent savvy people from exploiting mistakes by not-so-savvy people.
Stopping at 3 might already be enough if the background script has a sufficiently juicy bug that can be triggered by a message, e.g. if you can exfiltrate cookies or trigger requests with the user's credentials.
PoToken - Proof of origin token which Google has lately been enforcing for all clients, or video requests will fail with a 403. On android it uses DroidGuard, for IOS, it uses built in app integrity apis. For the web it requires that you run a snippet of javascript code (the challenge) in the browser to prove that you are not a bot. Previously, you needed an external tool to generate these PoTokens but with the Deno change yt-dlp should be capable of producing these tokens by itself in the near future.
SABR - Server side adaptive bitrate streaming, used alongside Google's UMP protocol to allow the server to have more control over buffering, given data from the client about the current playback position, buffered ranges, and more. This technology is also used to do server-side ad injection. Work is still being done to make 3rd party clients work with this technology (sometimes works, sometimes doesn't).
Nsig/sig extraction example:
- https://github.com/yt-dlp/yt-dlp/blob/4429fd0450a3fbd5e89573...
- https://github.com/yt-dlp/yt-dlp/blob/4429fd0450a3fbd5e89573...
PoToken generation:
- https://github.com/yt-dlp/yt-dlp/wiki/PO-Token-Guide
- https://github.com/LuanRT/BgUtils
SABR:
- https://github.com/LuanRT/googlevideo
EDIT2: Addeded more links to specific code examples/guides