This has been well known for a while; they block all third party clients and libraries outside of using their official bot API.
Having been on the receiving end of over 50k compromised accounts attacking my server (with verified phone enabled); largely stolen oauth/access tokens from real users, I can also see why they would do that as a platform owner.
On the other hand, as a rms-thoughtpattern, this is awful.
This is probably true. The amount of fishing scams I've seen on discord lead me to believe that is by far the main way it is done, and the scale is more than sufficient for the attacks we're seeing.
then there is less incentive to install one. Which will lead to less possible targets. I think they compared the risk of compromised third party clients to the usability.
Third-party clients will often fail to act like the first-party one, causing them to be detected as userbots and banned automatically, among many other things. Modding the official client is usually looked past, as long as it doesn't touch the websocket/REST APIs in any way, but custom clients are verboten.
Obligatory "I don't work at Discord, just actively develop against their API" goes here.
I'm pretty sure the official client doesn't have the scriptability needed to be useful for perpetrating spam attacks. So the point being made was that banning 3rd party clients is one of the most effective ways to prevent spam, but at the cost of also banning benign use too.
What does Powercord do? This is the first time I've been made aware of third-party mods for Discord, so maybe there's something obvious that I'm missing, but even looking at their website (https://powercord.dev/) there seems to be absolutely no information about what it actually does.
"Raids" or spam attacks use 3rd party clients/headless libraries that fingerprint identically as this repo, unfortunately.
There are also a number of cases where a few third party clients that let you modify the background, font, etc. came with malicious code to steal tokens.
Outside of bots and spam, third party Discord clients also often disable a lot of Electron's options that guard against XSS stuff escaping the sandbox, which is pretty dangerous. I wouldn't be surprised if Discord wanted to minimize the chance of some really big problem stemming from lots of users using these unsafe versions.
Discords around financial or economic topics (e.g. cryptocurrencies, Steam trading) are heavily abused by scammers that use large numbers of bots to attack or phish users.
I could see an argument where Discord wants to keep control over how they are fighting such abuse, and banning all non-granted API access could be one part of that.
This isn't really surprising since Discord owns the whole API and it was only a matter of time this would happen which is why I have little hope for third-party clients for GitHub, Twitter, Reddit, YouTube etc, since they have official clients for them. [0]
Either the API gets blocked for third-party clients, or you purchase a high price for it.
This project seemed innocuous enough. And it's a shame Discord killed it. As long as services are centralized, platform owners keep doing things like this.
I wonder how long until Discord starts blocking things like Matrix or IRC Bridges. That or the Bot API may already be useful enough to say something "works", but is so functionally useless that you have no reason to use it. (e.g. you can bridge to a channel, but not bridge instant messages)
Isn't Didcord on-premise? How could he be banned? Hopefully someone will be able to answer. Please don't downvote only because you think the question is stupid.
It's nothing specific to bots. Discord's TOS doesn't allow you to use a thirdparty client. This has been the case since day 1 (I think) but they haven't been enforcing it. Now the creator of this client has had their account banned, so it seems that Discord may be cracking down on the use of unofficial clients.
Mind you, Discord's ToS do not specifically mention third party clients at any point. They do say that they can ban your account for whatever reason, however.
They collect a significant amount of device information, even more if you have the apps instead of just browser, do tons of fingerprinting, all things I would consider gross as a personal opinion
This kind of behavior should be illegal. Remind me again why anyone here is using proprietary chat software? Just use IRC, or if you simply must use something else, use Matrix.
User-friendliness. IRC and even Matrix is daunting to the average mom or gamer-friend. Even if they're not, there's the network effect (I can't convince even a quarter of my friends to move over to Matrix or IRC).
This kind of behavior should absolutely not be illegal. As much as we might hope for and prefer open APIs, companies must have the right to protect their APIs as they see fit.
Discord has integrated:
-communities (as servers)
-forums (as text channels)
-direct messages
-voice chat
-video chat
-private group calls
This can all be used from their web-app. Their centralized server model allows people to join/leave calls at will, saves conversation history, and just so happens to give the company a great deal of data. It's all extremely convenient.
I agree with you that Discord is abusive of its power, and I would much prefer to utilize a free-software solution. Unfortunately, I do not believe any communication software in the world, free or unfree, comes close to the value proposition of discord.
I think the problem is the business model where the strategy is to grow big enough so you can sell to someone that knows how to abuse a monopoly. How do you grow big ? Give away stuff for free, pay gatekeepers like ISP's so users can use your service for free, and pay platforms to have your service as the default.
Why do users use it? It's cool, it's free, and others are using it.
What happens when you sell? The founders get a lot of money, the software become uncool, and users will be leaving to another chat app that is cool and free.
I wouldn't say illegal: as a producer, Discord obviously owns the platform, the rules seem sufficiently within the bounds of convention right now, and consumers are still free to choose.
The main problem I've seen with Discord is on the consumer end, in some cases: we've even had FOSS projects and advocates, of all people, moving away from FOSS and open standards, in the tools they use themselves, to embrace very non-open systems.
Some huge drawbacks to non-open systems have been understood for a few decades. And so there have been some industry collaborations on interoperation, some very hard-fought battles, some major human achievements of distributed cooperation to build great things... but then too often we just casually discard societal progress.
https://news.ycombinator.com/item?id=25184751
This has been well known for a while; they block all third party clients and libraries outside of using their official bot API.
Having been on the receiving end of over 50k compromised accounts attacking my server (with verified phone enabled); largely stolen oauth/access tokens from real users, I can also see why they would do that as a platform owner.
On the other hand, as a rms-thoughtpattern, this is awful.
Spam attacks have nothing to do with 3rd party clients.
malicious 3rd party apps can probably steal the login creds pretty easily to launch whatever type of spam attack
This is probably true. The amount of fishing scams I've seen on discord lead me to believe that is by far the main way it is done, and the scale is more than sufficient for the attacks we're seeing.
then there is less incentive to install one. Which will lead to less possible targets. I think they compared the risk of compromised third party clients to the usability.
Third-party clients will often fail to act like the first-party one, causing them to be detected as userbots and banned automatically, among many other things. Modding the official client is usually looked past, as long as it doesn't touch the websocket/REST APIs in any way, but custom clients are verboten.
Obligatory "I don't work at Discord, just actively develop against their API" goes here.
I'm pretty sure the official client doesn't have the scriptability needed to be useful for perpetrating spam attacks. So the point being made was that banning 3rd party clients is one of the most effective ways to prevent spam, but at the cost of also banning benign use too.
There are third-party mods for the client (see ex. https://github.com/powercord-org/powercord), but those are generally responsible in discouraging API abuse.
What does Powercord do? This is the first time I've been made aware of third-party mods for Discord, so maybe there's something obvious that I'm missing, but even looking at their website (https://powercord.dev/) there seems to be absolutely no information about what it actually does.
It seems to be a platform for other plugins/themes to target
As an Electron app, you can make the official client do literally anything with a bit of effort.
The official client is basically a chrome instance. You can press ctrl+shift+I and put in any script you like.
So far (to my knowledge) discord hasn't made any effort to prevent modding of its official client. Most people just do it to inject css etc.
They don't typically care about client mods as far as I can tell, the use case they ban accounts for is using a third party client entirely.
That being said I don't think slack/discord should be a thing for open source communities.
"Raids" or spam attacks use 3rd party clients/headless libraries that fingerprint identically as this repo, unfortunately.
There are also a number of cases where a few third party clients that let you modify the background, font, etc. came with malicious code to steal tokens.
Outside of bots and spam, third party Discord clients also often disable a lot of Electron's options that guard against XSS stuff escaping the sandbox, which is pretty dangerous. I wouldn't be surprised if Discord wanted to minimize the chance of some really big problem stemming from lots of users using these unsafe versions.
The client in question here doesn't use Electron at all, so I don't think that'd be too relevant.
Discords around financial or economic topics (e.g. cryptocurrencies, Steam trading) are heavily abused by scammers that use large numbers of bots to attack or phish users. I could see an argument where Discord wants to keep control over how they are fighting such abuse, and banning all non-granted API access could be one part of that.
This isn't really surprising since Discord owns the whole API and it was only a matter of time this would happen which is why I have little hope for third-party clients for GitHub, Twitter, Reddit, YouTube etc, since they have official clients for them. [0]
Either the API gets blocked for third-party clients, or you purchase a high price for it.
[0] https://news.ycombinator.com/item?id=22609319
This project seemed innocuous enough. And it's a shame Discord killed it. As long as services are centralized, platform owners keep doing things like this.
I wonder how long until Discord starts blocking things like Matrix or IRC Bridges. That or the Bot API may already be useful enough to say something "works", but is so functionally useless that you have no reason to use it. (e.g. you can bridge to a channel, but not bridge instant messages)
AOL Instant Messenger wars returned.
Isn't Didcord on-premise? How could he be banned? Hopefully someone will be able to answer. Please don't downvote only because you think the question is stupid.
You are probably confusing Discord with Discourse.
https://discord.com/
https://www.discourse.org/
Can someone please do an ELI5 for this? I have no idea what it is, what it relates to, or why it's important, other than:
* It's about 'bots, and
* It relates to Discord.
Thanks.
It's nothing specific to bots. Discord's TOS doesn't allow you to use a thirdparty client. This has been the case since day 1 (I think) but they haven't been enforcing it. Now the creator of this client has had their account banned, so it seems that Discord may be cracking down on the use of unofficial clients.
Mind you, Discord's ToS do not specifically mention third party clients at any point. They do say that they can ban your account for whatever reason, however.
Reminds of a similar ICQ policy.how does discord enforce this? Do they use a similar tactics like a frequent protocol changes?
They collect a significant amount of device information, even more if you have the apps instead of just browser, do tons of fingerprinting, all things I would consider gross as a personal opinion
As their terms of use have said since day 1. What’s the news?
The news is that they've suddenly decided to enforce something that has been ignored since day 1.
Discord bans users for not adhering to the terms of service is a better title.
This kind of behavior should be illegal. Remind me again why anyone here is using proprietary chat software? Just use IRC, or if you simply must use something else, use Matrix.
User-friendliness. IRC and even Matrix is daunting to the average mom or gamer-friend. Even if they're not, there's the network effect (I can't convince even a quarter of my friends to move over to Matrix or IRC).
This kind of behavior should absolutely not be illegal. As much as we might hope for and prefer open APIs, companies must have the right to protect their APIs as they see fit.
My wife and child can use discord. Anything else is "just for talking to daddy" and not worth the trouble to learn how to use.
Discord has integrated: -communities (as servers) -forums (as text channels) -direct messages -voice chat -video chat -private group calls
This can all be used from their web-app. Their centralized server model allows people to join/leave calls at will, saves conversation history, and just so happens to give the company a great deal of data. It's all extremely convenient.
I agree with you that Discord is abusive of its power, and I would much prefer to utilize a free-software solution. Unfortunately, I do not believe any communication software in the world, free or unfree, comes close to the value proposition of discord.
> This can all be used from their web-app
Video chat and screen sharing is not supported on their web app, and they push you to download their (electron) app for those features.
I think the problem is the business model where the strategy is to grow big enough so you can sell to someone that knows how to abuse a monopoly. How do you grow big ? Give away stuff for free, pay gatekeepers like ISP's so users can use your service for free, and pay platforms to have your service as the default.
Why do users use it? It's cool, it's free, and others are using it.
What happens when you sell? The founders get a lot of money, the software become uncool, and users will be leaving to another chat app that is cool and free.
I wouldn't say illegal: as a producer, Discord obviously owns the platform, the rules seem sufficiently within the bounds of convention right now, and consumers are still free to choose.
The main problem I've seen with Discord is on the consumer end, in some cases: we've even had FOSS projects and advocates, of all people, moving away from FOSS and open standards, in the tools they use themselves, to embrace very non-open systems.
Some huge drawbacks to non-open systems have been understood for a few decades. And so there have been some industry collaborations on interoperation, some very hard-fought battles, some major human achievements of distributed cooperation to build great things... but then too often we just casually discard societal progress.