Discord is happy to ban people for anything. They even stop people for using alternative clients. If you care about your account, do not mess with discord.
I got banned directly after signup. I got an email 1 second after signing up that I violated the community guidelines. The algorithm didn't like my Firefox/uBlock Origin combo I guess. Now my phone number is tainted and I can't make an account anymore. Oh well, no Discord for me I guess. (They really are very trigger-happy.)
All project maintainers: take notes on why your community shouldn’t be built around Discord’s service. Bridge to it only if you must, but don’t make it the primary chat option.
From my experiences discord servers tends to draw people who are least interested in talking about the project and more about casual talk and sharing memes. Most of the time these places feels like an equivalent of shoutbox feature on old forums.
Still, I received more support via discord than forums which on the other hand seems to be mostly full of people who vent their complexes and issues on users and lock discussions for absolutely every single stupid thing, just to show they're in charge.
Perhaps a community has to be small, dedicated, mature and aware enough to use e.g. Matrix or other solutions, leaving running blessed, approved discord servers to communities, various enthusiasts.
There are the anime communities already, so it's not just about projects.
Also, on Discord, you can have pretty serious discussions and organise your projects. But it's never done in #general : you need to create specific rooms where users focus.
The shoutout function is at the heart of the group on Discord.
But Discord won users in the first place by allowing them to create rooms and organize discussions.
It was meant to run projects (if you consider a RPG is a project, but whatever, as long as it works)
And Matrix is currently too heavy to self-host which means relying on Matrix.org (who also controls the spec).
My vote would be an XMPP MUC that’s bridged to IRC. This keeps it lightweight & decentralized. Both of these options could be ran with hundreds or thousands of users on a potato compared to Matrix.
I've been selfhosting a dendrite matrix instance for about a year now. I'm only in a few public channels of a few hundred users, but also #matrix:matrix.org which has 44000 users and it hardly uses any resources.
I have no experience with Synapse which was apparently quite the hog as far as I know, but Dendrite is quite lean it seems
I’ve heard it has less system resources, but the Synapse compatibility needs to be maintained. One of the bigger runaway issues tho becomes storage as the protocol requires replicating the entire chat/attachment history of all users for all of their DMs & chatrooms which I’ve read caused a lot of folks to shutdown their servers either because Postgres bloated up or hosting all the static content got too costly. This model makes sense when folks treat chatrooms like a permanent log, but if you treat it more like IRC, there would be no requirement for replication beyond a couple of messages for a new user to see the current topic to participate (while also covering the case that searching these chatrooms is a pain & much of their discussions should have moved to forums/mailing lists).
I used gtkcord4, and I didn't get banned. I used Vencord, didn't get banned either. Of course, I wouldn't reccommend using any of these for the saftey of your account, as I was dumb back then and never learned about the risks.
---
Also, one Discord alternative I would reccommend is Revolt[1]. Great community, and was famous for being featured in a No Text To Speech video (and my friend's server had a brief cameo too!), and it's adoption of discriminators (i.e. randomguyabcd#5408).
From the README of Vencord, one of the most popular mods:
> Client modifications are against Discord’s Terms of Service.
However, Discord is pretty indifferent about them and there are no known cases of users getting banned for using client mods! So you should generally be fine as long as you don’t use any plugins that implement abusive behaviour. But no worries, all inbuilt plugins are safe to use [...]
I have definitely known people be banned for "selfbots" (and I mean personal utility ones, not actually using a user account as a public service account), however they were almost always doing something unwise and conspicuous, like spamming username change requests for "animations", or showing it off in the API server literally in front of a Discord dev
Perhaps closer to "cracker", but I agree that this is the sort of knowledge that the corporates don't want us to know --- so they can attempt to squeeze more $$$ out of us without resistance.
I mean cracker in the current sense of the world. And he did the equivalent of inspect element. It was clever, but no real harms were done to any parties.
I disagree. Cracking is, historically speaking, the act of circumventing copy protection mechanisms. So to me, cracking is one of the disciplines of hacking.
A lot of people I've met that reverse malware for a living started out cracking copy protections. It's basically the same skill set. The old SnD forums had an entire section dedicated to it. They even had decompiled Stuxnet samples before anyone really knew what a Stuxnet was.
That entire scene is people just wanting to break protections for the challenge. Not necessarily just copy protections. The InfoSec, and RCE worlds in general, would not be where it is today if it wasn't for them cracking those old games and whatnot.
I'm not accusing the author of doing this, but providing a simple base64 encoded blob at the end to run to enable everything would be a pretty easy attack vector, wouldn't it?
For those to lazy to run base64 --decode, here's the result:
// Here's a cake if you thought about inspecting the code before executing it:
let css = 'font-size: 36px; font-weight: bold; color: red';
console.log("%cNEVER paste code you don't understand into the development console.", css);
console.log("%cThis is the best way to compromise your account.", css);
Wow, I had zero idea you could use string substitution for formatting console.log messages. (Although I guess if I'd stopped and thought about it, there had to be something enabling those big scary messages in the console for certain websites...)
> NEVER paste code you don't understand into the development console
Tech companies have long achieved security by simply locking people out of choices that they shouldn't make.
I'm suspecting that Google will soon lock people out of Chrome's developer tools unless they can prove they are a developer (with a certificate that's tied to the website they are debugging)
I get that some themes would be enabled this way, but for them to decide streaming quality with a client side check instead of a server side one is quite baffling.
Especially given the fact that they could simply inspect bitrate in/out, they don't even need to access the actual video, it can be fully encrypted (even if not ATM) and by examining how much data is transferred they can know which quality they are streaming at.
Except that bitrate is highly variable; a high quality stream of static content can use way less bandwidth than a lower quality stream encoding a lot of motion.
Now keep in mind they’re continually developing; perhaps testing different scaling preferences, or different codecs like AV1; suddenly you need a host of different bandwidth:estimated quality rates, that change over time and need to be kept in sync with client side changes… it’s not worth it
Currently, Discord doesn’t appear to validate on their servers whether the stream being transmitted truly adheres to the criteria of a non-subscribed user
I wonder who thought that would be a good implementation. Client-side validation seems like a very novice mistake.
I suspect it's less they thought "this is a great implementation" and more "if people figure out how to break it, we'll patch it." This is the first time in several years of using Discord that I've heard of anyone even trying to circumvent their access/permissions structure for Nitro, so I see no reason why they'd bother unless this was widespread.
Modded discord clients have been around for quite while. But indeed, the threat of being banned deters most people and if just a handful of people use a modded client discord doesnt care probably.
Yeah, I think it's one of those things where Discord reserves the right to ban anyone using automation on their user account, but in practice they don't take action unless you're clearly doing something malicious or annoying. At least as far as I know.
Once you think about the tech I think there's an obvious steady state:
- It's cheaper not to check on every call sever-side and the people who are most likely to dodge in this way are also not likely potential sources of revenue.
- you shouldn't ban every person who tries this. They will gum up support and, on average, won't even be
trying to earnestly get features for free.
- Also people who exploit the obviously vulnerable account interfaces may do other things that clue you in to vulnerabilities you care about.
It seems like it's a situation where you can let people fiddle around with this a bit (a few hours, a few days) and ban folks who do it too long (a month?). People who use it heavily are unlikely to be real revenue prospects and, at the end of the day, it's an engagement funnel. People rarely use hacks on a platform they aren't using.
> one day they just go poof and everyone knows why.
I thought the point of ban waves was precisely because there's no direct cause-and-effect. E.g., if you perform an exploit and get banned immediately, you know that the system can detect your exploit. If you get banned a month later, it might have been your exploit or something else you did between then and now.
This reduces the selection pressure on black-hats to produce ban-avoiding exploits.
Yeah, this isn’t a (multiplayer) video game cheat where users are actively harming your product by existing. This is a loophole that allows users more features than they pay for. If they do a ban wave off this, it won’t be good for business. Discord is a social media company, they live and die by the community.
Most people don't realise you can plug almost any HLS URL into ffmpeg and trivially rip the stream. Most live streams don't bother with DRM because it's expensive, fragile, and user-hostile. It's often difficult enough to get the motion picture to display properly at all, let alone with acceptable resolution, latency, and artefact-free. The smart companies prioritise UX over policing the "high tier" features.
Non-nitro users can stream in 1080p60, all they have to do is join a "boosted" server.
Which is very easy to do - you can find tons of freely joinable 'official' servers for games, which are boosted, and then join one of the available voice channels.
I didn't think of this thank you! I wanted to stream in my friend's server for my friends to watch but his server isn't boosted, but now I'm gonna join a random server and stream for strangers instead!
I don't know about "voice servers" but if you use something like coturn, there is no way to finely tune this, because it is just a generic "gateway" that is relaying packets to bypass NAT. You could try to connect to the stream and then check the stream quality after the fact but if there are false positives you are mistreating paying customers, which you certainly don't want to do.
It's also possible to see the names, topics, and timestamp of the last message of hidden channels through their API. The channels are only hidden on the client-side. (To be clear, it's still not possible to view the contents of these channels.)
And also who is in the channel (more generally, you can see the permission overrides on all channels)
It's been a long time since I did any Discord API work but I had assumed they would have fixed this by now. I realise it makes things simpler and more cacheable, but IMO it's a critical and inexcusable user privacy issue to have this behavior with no indication to ordinary users that their hidden channel is in fact quite visible to savvy users. This would be like Google Drive allowing anyone to query filenames (just not content) of private folders
Considering how loosely people (especially kids) these days spend money, maybe this is good enough? How many people who understand how to do these hacks and would be willing to pay for Nitro are there? I am sure there are thousands of not tens of thousands of users for all these different Discord client mods that enable all or some of the Nitro features, but would there be any actual revenue from fixing this?
In my opinion paying the $10/mo (if I needed/wanted the features) is way less hassle than trying to keep on top of the mods, which probably break at every Discord update, and then hope the maintainers don't slip in exploits.
What happens if they turn 25 and have grown to expect the nice features? They have more money, less time, and can be a beacon for their peers of "James used to get it for free, now even he pays"
I'd consider it similar to Adobe's old model (easy to crack, but converts to paying customers in a few years)
Are they? They try to sell me Nitro at least once every month, which only gives me the impression that they're desperate to increase their revenue stream to make ends meet.
Personally, I don't care how much usage data they collect as long as they're not selling that data to third parties, or attempt to show me ads.
Of course there's the threat of data leakage, buuuut it's risk I accept, when it comes to my mundane usage of discord.
My main gripe with data collection platforms is how they turn every platform into an ad board. Chief among my disappointments is windows. It's so thoroughly shit now I can't even consider myself a user. I can't really call it an OS anymore. It's something else... An advertisement platform built on top of an os.
It doesn't really matter if they check it or not, I had Nitro for a year during pandemic because I thought I could stream in higher quality. In reality the quality was just as bad, and sometimes video looked very pixelated.
I have gigabit connection at home and a good GPU that does the encoding but I guess Discord doesn't have any servers near me (~1900km to Rotterdam) and it might be prioritizing low latency. The experience was terrible so I cancelled the subscription. All the other paid features seemed useless to me.
I believe Discord's streaming limits itself based on the connection to your viewers as well as their decoding capabilites, because Discord itself doesn't do any transcoding.
Discord has a habit of making it work, then fixing it later. Additionally, how many people are going to bother to pirate themes and high quality screen sharing?
Because this is way more complicated than checking that your CRUD REST API is valid.
We're talking bandwidth here.
Checking for upload is not the issue imo, the issue is that you can watch a 1080p stream a non nytro user, if you don't check it at the upload stage then you should make sure that people can only watch 720p streams.
Like most corporations Discord doesn't care to make decent software. Instead it just maintains a team of lawyers to fix "problems" with it's implementations.
I use Discord all the time, but I have seen zero reason to get Nitro. Every time they try to upsell it to me the "features" are unnecessary. The marque feature either "50MB uploads" (Nitro Basic) or "500MB uploads" (Nitro). Is this per file, per day, per month??? I only share the occasional screenshot or small file, so uploads have never been an issue. The rest of the "benefits" - "server boosts", custom Emoji, or a special Nitro Badge - seem ridiculous. What do people use this for?
It's per file, although I also think it applies per message (i.e., you can upload 10 photos at a time, but they can't collectively exceed 50MB on the free plan; you'd have to split them across multiple messages).
It's 50mb on Nitro Basic, and like 5mb on free tier. This has bit me a few times when sharing screenshots (4K ultrawide), but I still wouldn't pay for a service Imgur & co provides for free.
Whats wrong with just paying for software you find useful / you want to support? Custom emoji are fun to me, so you just aren't the target audience lol
What's wrong with realizing that a business is charging money in exchange for product features, and then evaluate whether the features are worth the price?
It's one thing when they raise donations, and they leave you a custom window to put your price. But when you say "these features will cost 10 bucks for you" then it's not about whether you have the money or not, but whether the exchange of goods holds an equal worth for both parties.
And also, in the bizarre world where Discord monthly was 5 bucks but people wanted to pay 10 because it's that good (value is subjective, I get it), and they really want to show their admiration then nothing stops them from paying for 2+ accounts!
I've seen a similar argument for a game that came out that had no battle pass. "Oh I would love to have battle pass in the game, the company deserves the money for the good product", well buy 2+ copies and gift them to your friends or family then. No reason to burden the average player with added micro-transactions on a fully priced product to express gratitude.
Before the username change, to keep my discriminator. Now the main reason is better stream quality — I stream games to my friends often.
Also, in general, I think it’s good to support companies whose (otherwise free) software I use. Maybe if I give them money it will make them less likely to seek “alternative” revenue streams. $8 a month ($3 for Basic) is a fairly affordable way to support a service that I use daily. E.g. I also pay for Strava Premium, Lichess, Godbolt, etc despite almost never actually using their paid features (or they have no paid features).
Disclaimer: I do work for Discord right now (summer intern), but I had been paying for Nitro for ~two years before I joined.
Previously, you had a random 4 digit discriminator assigned to you when you made your account.
With nitro, you could choose the discriminator for as long as your subscription was active, which users picked to have a vanity one like `User#0001`
This made it easier to send your id to friends, not having to remember the 4 random numbers but didn't provide any value otherwise.
Perhaps some people are so conditioned to paying for optional premium stuff that they feel better doing so and see themselves as above those who don't drop a single penny. You know, it's like showing-off wealth IRL by wearing top brand clothes and shiny jewelry etc. Just a guess.
Hmm, this was the #1 reason I was paying for Nitro (or maybe it's Nitro Lite?). I was sick of my photos being rejected unless I downsized them. I'll probably still keep it for video uploads since those are bigger than 50MB sometimes.
Because you aren't the target audience then. The limit is per file.
I have Nitro (the $10 one), I use Discord a lot, I love custom emojis, badge doesn't matter to me, boosting doesn't matter to me, I like the themes, I like having longer character limits, I like having double server capacity (200, instead of 100)
> The marque feature either "50MB uploads" (Nitro Basic) or "500MB uploads" (Nitro). Is this per file, per day, per month???
It's per-file.
> I only share the occasional screenshot or small file, so uploads have never been an issue.
When I was running a 1440p monitor, screenshots usually ran into the upload file size limit. I would have to manually resize them. This was a hassle, so I started paying for Discord Nitro. I'm fine with it, I certainly get value from Discord.
A reminder: everything sent via Discord, including DMs, is being logged in plaintext by Discord and will be available to them and whoever buys them (it was looking to be Microsoft for a while, though now it looks like they will IPO).
Simply having an account there normalizes having personal conversations that can be easily data mined for AI, or otherwise used by Discord or their database/systems administrators. Section 702 of the FISA Amendments Act (FAA702) allows the federal police to access all of same without a warrant.
The crypto frontrunning possibilities alone must be worth dozens of millions per day.
Friends don't encourage friends to use non-e2ee chat systems. Don't be the honey in the trap.
It's long been normalized, Discord has already won. I'm not saying that it's great, but for certain communities you don't have a choice, besides not participating.
It's actually even worse than back then, when it was "everyone has WhatsApp" because you could easily contact the people otherwise, you already had their number. But imho personal conversations are not the draw for Discord, it's communities with semi-public spaces (public as in 100 people will read it, not "it's available to everyone").
There’s issue with metadata & the requirement of sharing one’s address book to use WhatsApp. I wouldn’t be surprised if it too like Signal required users have a Android/iOS primary device & a phone number or you can’t use the service which has privacy implications but also feeds the mobile OS duopoly as you can’t choose another OS (or to just not have a phone).
It does require a phone number. Alternative clients are banned by terms of service which means you can only choose the platforms they support which means iOS or Android.
Reminder: everything sent on a forum, including DMs, is being logged in plaintext and will be available to the administrator
Unless you're using one of the few services implementing a true zero-trust model where the user manages their own keys, then obviously this is true. They are storing your messages, yes... so that you can access them
I realise there are services like Matrix which do pull off E2E group messaging in a relatively friendly way, but they are the exception. It's unfair to accuse Discord of unique alleged malice for behaving the same as 95% of electronic communication platforms ever
Is this really the case? I'm skeptical because I kept a conversation with someone who deleted their whole account. The messages are still there on my end which means Discord still has them.
User account deletion sadly does not imply deletion of said user's previous messages. They are instead coalesced to a unified ghost user. Messages have to be deleted manually.
In the good old times Discord's dev console wasn't even locked and I remember using it to file a bug report with a good description. At least they still provide an easy way in, I've also given up to debug some other electron apps where I only had the binary.
Recent openAI suddenly disabled their beta testers discord, and I couldn't see who or what we had all been discussion anymore. I wondered if there was a way to export chats so server managers couldn't just cut a community off from each other with no record to browse after. There is a bunch of chrome extensions out there to export discord chats but most seem to have some payment gated features.
turns out just copying the extension source out of the chrome folder, modifying the "is_pro" like boolean checks in js and loading it back as an unpacked extension is very easy.
FYI while this will display the various channels, if your account does not have access to the channel, you cannot export its logs. For channels you can collect, you get the author, datetime, message content, links to any attachments, and reaction counts (but not whom made the reactions).
I've been using DCE to do some analysis on student interactions. This was a hurdle we ran into while exporting logs for various class channels.
I've been enabling devtools and the button for 1080p60 streaming ever since I saw the possibility to just do it client side. And it works. I don't know for how many years by now, but apparently no one at Discord cares.
I once tried to go down this road but failed to have a consistent way of patching the client specially after updates and basically give up. Now this method is sparking my "lets crack this open and poke around" hitch again!
Is there a simple way to go through the available API through this method? I tried logging everything but its a hot mess with maps, i18n, etc. Wonder if someone has gone through the trouble of creating like a reverse-engineered doc kinda thing
reply