Discord's phone verification is awful. They are using some super old database of what provider is associated with your phone number. I ported a Google Voice number to Verizon and they said I can't use it for phone verification because it's Grand Central, a company that went out of business before Discord even came into existence.
I pay them $99 a year, and their customer service treated me like shit for this. What do I care if someone hacks my account and destroys the large community that I moderate? That's their problem, not mine. But I doubt they care.
I am more and more thinking of this as a symptom of the "Data wars." I define that as the conflict between how much data someone is willing to share in exchange for a 'free' service.
The services aren't free of course, they pay their overhead and costs by re-selling the data they collect about their users. And as other sources of revenue (like ads) have lost value the data service has filled in. And since the data buyers know that the service provider is in a weak negotiating position they keep pressing on them to get more and more datamilk out of their data cows for the same amount of money.
The pressure is on to create a low friction pay as you go service for these things that don't extract data.
Since the OP is specifically talking about Discord, it’s worth mentioning that what you’re talking about doesn’t seem to be the case for them - they make money from Nitro subscriptions and their game store, and state in their privacy policy that they are “not in the business of selling your information” (https://discordapp.com/privacy, in the section ‘Our Disclosure of Your Information’).
So relating back to the post, their justification doesn’t necessarily make it right, but I think it’s incorrect to attribute it to a malicious cause.
It's frustrating to be a power user in general with these sort of 'automated lockout detection' mechanisms.
I've lost count of the number of times I've tried to log in to, I dunno, eBay or whatever, and computer says no, and I have to call some bloody line and speak to someone who hates their job and doesn't understand what I mean when I talk about IP addresses.
I wish that these services had a way to check some box and say "look, I really know what I'm doing, let anyone with the correct password/SSH key/whatever in".
If it gets hacked, _then_ I can go through all of that shit. In this case we're talking about a bloody chat server for christ's sake.
Yeah, you wish for too much. I remember losing MAL account (yeah, don't judge me) which I had for like 10 years (probably longer, really), not because I didn't have the correct password — I did, but because they fucked up with security not long before that and I suddenly needed to verify it was me via some email account I didn't use for the same 10 years. I mean, really, somebody stealing my MAL account? Why anybody would need that, even I don't need that, it was just silly losing my account I had for so long, because they care so much about me not losing my stupid account. So, fuck MAL. And fuck twice any service, that needs to verify my email/phone/passport name more, than it needs my money I am ready to pay for pizza delivery or whatever.
You think the right set of people will check that box? And that if they do get hacked they won't cost the company a ton of resources in support/lawsuits/etc?
You have to remember that even if you don't care about your account getting hacked, hacked accounts are a nuisance for other users of the platform as well.
Tor breaks a lot of shit for me, and I dont even bother with captchas becuase it usually just flags me as a bot. So I dont think this is particularly surprising or out of the ordinary.
But yeah, discord used to be held in high standards by me and plenty of other gamers, but they have made it clear that they cannot handle tough situations, and dont really care about their userbase. Someone should start a privacy focused phone number as a service, acces to texts online and through an app. Allow people to basically have a spam phone number that they can give out to online services, but make people pay for it obviously. Like 10minutemail but long term and for texts only.
Why the insistence on Tor? Just use a normal VPN. Tor exit nodes are limited in number, and the same IP probably ends up being used by thousands of people... I assume a lot of them use it for nefarious reasons so you just end up in the same bucket. To some extent VPN providers can get hit by this too, but it's easy to just switch outbound IPs (for most of them).
And if you want more than that, get a cheap VPS and install OpenVPN on it (you get your own unique exit IP address) - pay with bitcoin for the privacy aspect, also a good place to install an ad-filter, a secure DNS proxy (DOH) and so on.
I also don't understand the 2FA point, that says nothing about your accounts' intentions.
The account history is an interesting point... if you have a long-standing history with no reports of inappropriate actions, they should factor that in somehow into their algos.
> I refuse to provide phone verification as I believe it is Discord's fault for flagging my account...
> I will be communicating with a couple communities with which I'm involved to explain that I am unable to use Discord
Does this person not have a phone? 'Unable' seems like a stretch. If this person said, "I don't want to provide my phone number to Discord, so I'm going to stop using it" I'd understand.
Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
In that sense, bureaucracies are aggressive by default; that they use friendly language doesn't change this.
Imagine that one day, your car locks you out, and there's a smiley face and it says "oh hey, just call this number dude". Is that any less aggressive simply because it's 'friendly'? Of course not.
In many ways it's worse - because it's almost sarcastic (it's not _really_ that way, of course, because the customer support agent in this scenario is a robot, but it sure feels like it).
Just a note: I do not ask to have my blog entries submitted to this site, precisely because the comments I receive here are very assumptuous and negative. I have had prior interactions with Discord which influenced the tone of my E-mail. My blog post is simply presented as-is and I really do not care what others have to say about it, but I have no control over what is submitted here. I just want people to keep this in mind should future posts of mine be submitted, before someone points out "hey, you got onto Hacker News again" and I have to be subjected to a bunch of people not getting the full picture (and even some people complaining how pink my site is... grow up).
> Does this person not have a phone? 'Unable' seems like a stretch. If this person said, "I don't want to provide my phone number to Discord, so I'm going to stop using it" I'd understand.
If I say "I am unable to do X" that might mean "My conscience compels me to refuse to do X" or "I literally cannot do X". Both interpretations are valid.
> Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
I suppose I agree with you that the email is rude. Then again, I don't mind giving out my phone number and email even though companies are using these things to track me, build a profile, and spam me. I'd rather that they didn't; I think it's corrosive behavior. But it doesn't affect me much and so I put up with it. Point is, the writer of these emails could be seen as heroic because he or she has principles and is refusing to back down (despite the rudeness).
Like I said, I have similar principles but I'm not too fussed about them. This worries me sometimes. This level of invasion of privacy isn't the hill I'm willing to die on but I hope there is a hill I'd die on. If not, I'm an unprincipled person.
Discord's been an abusive member of the community for a long time. They distort nomenclature, mislead about their intentions, and aren't able to show that they protect personal information.
As a light and funny example, Discord doesn't comply with the OpenSSL license.
I don't know any of the specifics of what's going on here, but phone verification is sometimes very tricky even for willing people, with a phone, and from western countries. I can't get a Lyft even when in the US because their verification system only works for US phone numbers and I have a British one!
He says he's using tor to access Discord. While there's nothing inherently wrong with that, the IP addresses of his exit nodes are probably flagged as frequent sources of abuse.
People underestimate how hostile the internet truly is. I run a small website for a friend-- I'd say 90% of our traffic is spam/exploit fishing. I have at times blocked whole countries because we didn't have any business in that region and the abuse would not stop.
This is a typical response from service companies in the Internet age. They don't care about truth, or what actually happened, the algorithm says you're bad then you're bad. There's no human to appeal to, no human oversight of if their algorithm is right or wrong. They use another algorithm to check it, which tells them that you must be a bad actor.
I've had my own issues with Lyft that are similar. Banned from using their service even though I've never actually ordered a ride from them. Banned upon sign up. No review, no appeal, they don't even follow their own terms of service.
I'm not one to normal advocate for government regulations and oversight, but there's way to much consumer abuse for these Internet age services. Consumer protections can't come soon enough.
To be fair, I don't think humans have any way of verifying that you're trustworthy. Anyone can send email from your email address. Anyone can fake a driver's license. Anyone can get a phone number that meets their criteria. Knowing who someone is on the Internet is nearly impossible. Knowing whether or not to trust someone once you know who they are is nearly impossible.
There is no system of human <-> corporation trust in the real world. The best we have, maybe, is some record of how often you pay bills on time.
Tech companies kind of have to have these automated bans, because it's easy to create new identities on the Internet and the government doesn't care that you're defrauding a tech company. If you defraud a bank, the government pays the full cost of prosecuting and incarcerating you. If you spam Discord... nobody cares. It's Discord's problem, not the taxpayers' problem. So they really have no choice here. The world sucks. Get a helmet.
Having said that, banning people with a valid authentication token because of their IP address is simply the wrong algorithm. I can see why you might rate limit authentication attempts over Tor... but if you get your username/password right on the first attempt and provide the correct second factor... you should probably rate limit that valid session with a per-session rate limit key, rather than a per network endpoint key. (The era of IP address based rate limiting dies with IPv6 anyway, so they'll need a better plan someday.)
Honestly I can't be 100% spiteful toward Discord. Their customer service at least allowed me to easily begin the deletion process for my now-useless account. Compare this to Twitter, Google, or Yahoo!, where it's actually really difficult to get in touch with a human that doesn't spam canned replies at you and close your ticket soon after. (I'm especially disgusted at Yahoo! which seems to handle E-mail abuse related issues in the same customer support department as general account inquiries. Makes it really difficult to report spam as a fellow postmaster.)
It's a shame about your experience with Lyft. I'll have to remember this if I ever need a car ride, but seeing how all of these crowdsourced transportation initiatives are popping up with similar policies and disrespect toward open platforms (locking you into their apps, for instance) it might be better for me to consider conventional transportation entirely, if I'm ever stuck without a car and I can call up a normal taxi.
>I'm not one to normal advocate for government regulations and oversight
Yeah, I'd like to say that, this is capitalism and customers can naturally choose the right choice and stop supporting unethical companies, but this is hard especially with the network effect in play with things like Discord. Everyone's on Discord (or Facebook, or Snapchat) and suddenly a person is in the wrong for "not just signing up and using it" because their friends use it just fine. If consumer protections forced Discord to release a way to self-host servers (rather than calling guilds "servers") and made Discord fix their login and anti-spam mechanisms, and allowed users to have third-party apps to access the service, then I wouldn't complain. I still wouldn't like the concept of Discord because I'm a believer in federated networking, but it'd definitely be an improvement over the current state. These consumer / online service laws would also have great effect on financial and educational websites, which have rampant anti-consumer and security issues plastered all over their Internet presence. It's really upsetting to see how many corners people are willing to cut at others' expense.
> but there's way to much consumer abuse for these Internet age services.
a) Government programs are programs, written in the language English. So let's be careful what services we launch with the stroke of the Presidential pen. They could be a cure worse than the disease.
b) Whither capitalism? A remedy to consider in parallel with government regulation would be some actual competition. How do we get the functionality we want without quite so much Orwellian peril?
Social media gets less and less "social" every day.
My last remaining social media with input from me is HN. But I accept that, sooner or later, HN will be just as intrusive, aggressive, just plain nasty and censoring as the rest of them. And then it will be time for me to "go completely dark" as far as my contribution to the internet is concerned.
For privacy reasons implies either what you are suggesting or that they are contacting Discord from an email address not affiliated with the account in question.
2FA is account security, not proof of being a good human user. TOTP is a very simple algorithm (python impl: https://github.com/pyauth/pyotp) that can be easily automated. After all, your phone telling you the code to type in has automated it.
Strange I was just thinking about this issue the other day
Discord is a bit of a haven for spammers / scammers with my own account having received messages from several hundred random accounts ( to be fair the user is normally deleted before I read the message )
As a discussion / personal curiosity point how would the HN community reccomend discord handle this level of spam going forward?
It becomes extremely obvious when someones sharing a link to thousands of users they have never spoken to before. Idk about how you use Discord but I can only send so many messages to so many people in a few minutes.
I understand the frustration on the part of the user and I dislike that we're all being forced to give up our anonymity to use these platforms... but also the tone of both emails was quite antagonistic. They may have had slightly better luck if they'd been friendlier and not attempted to school the Discord staff on how their app should behave.
If the only deal breaker is your phone number, this is going to be an issue for you moving into the future with many service providers. Consider leasing a number through Twilio, it will save you from frustration.
I'm probably going to leave phone companies entirely, when I'm no longer on my family's plan, and set up a VoIP number because it'd give me hands-on experience with how VoIP works and it seems more cost-effective for my use case. I'll remember Twilio if I need it for any verification purposes, but it's definitely a sad state of affairs that phone numbers are seen as a mandatory identification step in this day and age. I understand that it's an easy choice for some companies to make, but it doesn't mean I have to be happy with it.
Hey. I work at Discord - and actually, this system is a thing I work on - and code my team wrote caused your account to be locked. If my team is doing a good job, you won't notice us. If we're doing a bad job, you might get some spam, or your account may be blocked for false positives.
Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.
One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.
To address the 3 demands in OP's email:
> 1. Discord's anti-spam isn't so anal,
I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.
> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks
Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. https://github.com/pyauth/pyotp can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.
> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.
Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.
As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: https://discordapp.com/licenses. Additionally, we host many open source communities on our platform: https://discordapp.com/open-source. And finally, we try to open source software we make which may be useful to the eco-system in general: https://github.com/discordapp/.
I still heavily disagree with the "Discord <3 Open Source" statements.
3rd party clients (eg. Ripcord) that were shared on reddit were quickly shot down with a We don't allow or support 3rd party clients or modified versions of the client.
Do you actively hunt for Discord users with a 3rd party client or is it more of a "we don't hurt you unless you abuse our API"-deal?
>Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Solution: add a checkbox "disable account security measures", so a user who doesn't want CAPTCHAs when logging into their account doesn't see them. It would have a warning so any user selecting it would know what they're doing.
First of all, thank you for the reply. Yes, my ticket was fairly … to the point and I did not make an effort to be polite, but Discord's support team does perform a good job in terms of timely and complete responses. As I said, starting the account deactivation/deletion process over E-mail was not a hassle (compare that to Twitter, eh…) and I have even been able to start a transfer of my own guild over to a trusted member, so the guild does not die with my absence. But with the current route Discord is taking, I cannot wish it as a company the best of luck. I'll respond to some of your points.
>anti-spam
My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
>regardless of whether […] there is 2fa enabled on the account
Clue me in on this one because I do not understand how a bot surfing for accounts would be able to guess this code in a configured number of attempts. Many login forms have a number of tries before the account is temporarily locked and the user is notified of a potential breach. This is no substitute for a good password, but it's one additional safeguard, and it's one that doesn't depend on a nonfree CAPTCHA service. I'm trying to de-Google lately and I've been pretty successful; one of the few services I use anymore is GDrive and that's only because I have unlimited storage and GPG at my disposal. Discord isn't owned by Google, so my decision to abandon Google's services shouldn't have weighed in on my decision for third-party services.
>it's also our responsibility […] (even if they don't employ the best security practices[…].)
I understand, but there's a line one has to draw for things like this. I'm not a fan of password requirements but employing a minimum password length (if Discord doesn't already do so) would be a good start. As a public service provider, I understand the issue with compromised accounts, and how they can be used for spam and harassment, but I still believe there are smarter ways to go about this than punishing people for using the wrong IP address to log in.
>hostile toward FOSS
>we have tried to give back to open source software
That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution (I don't think GitHub is appreciative of FOSS either, and they prefer to capitalise from the walled garden they've created rather than truly express the libre ethic, but hosting servers has been a long-requested feature especially from established communities who don't wish to rely on Discord's infra).
>and privacy
>we've stated that we don't sell your data
I'm a cryptoanarchist. If an organisation has my IP address, they have my IP address. If they have my phone number, they have my phone number. Discord may have my intentions at heart, its servers may be kept updated and secure from most threats, but Discord is a high-profile platform now, and we're all no stranger to hackers leaking database information from a zero-day or some other oversight. I cannot trust words and policies, I can only fully trust audited code and myself. So, no, in this light Discord does not appreciate the concern for privacy if it does not make exceptions for verifying accounts by other, more private means.
I wish I could give an answer on how to moderate a platform without negatively impacting people, but to reuse your words, there isn't an answer that satisfies everyone, and there will always be shortcomings for any solution, whether it's a setup cost or a long-term conditioning of users to create better passwords. In fact, I talked about passwords specifically in another blog post [1] so I can only hope they are eventually phased out for something less prone to user error. Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
I want to be done with discord. The only value i find is the notifications when you have an @reply. Isn't there someone that has done this for freenode or other IRC ?
2)You use proxies/tor which probably makes your concerns the concerns of 0.01% of the user-base.
Why should a company whose primary motive is to be profitable go so far out of their way for you, a non-paying client whose concerns represent basically none of the legitimate user-base?
The post is entitled "Guess I'm done with Discord", not "I'm entitled to my Discord account and everyone who disagrees with me is an idiot." As I said in another comment, my post was purely informative and not even in a format that would be digestible by people who do not know me.
[+] [-] jrockway|6 years ago|reply
I pay them $99 a year, and their customer service treated me like shit for this. What do I care if someone hacks my account and destroys the large community that I moderate? That's their problem, not mine. But I doubt they care.
[+] [-] ChuckMcM|6 years ago|reply
The services aren't free of course, they pay their overhead and costs by re-selling the data they collect about their users. And as other sources of revenue (like ads) have lost value the data service has filled in. And since the data buyers know that the service provider is in a weak negotiating position they keep pressing on them to get more and more datamilk out of their data cows for the same amount of money.
The pressure is on to create a low friction pay as you go service for these things that don't extract data.
[+] [-] cpdt|6 years ago|reply
So relating back to the post, their justification doesn’t necessarily make it right, but I think it’s incorrect to attribute it to a malicious cause.
[+] [-] esotericn|6 years ago|reply
I've lost count of the number of times I've tried to log in to, I dunno, eBay or whatever, and computer says no, and I have to call some bloody line and speak to someone who hates their job and doesn't understand what I mean when I talk about IP addresses.
I wish that these services had a way to check some box and say "look, I really know what I'm doing, let anyone with the correct password/SSH key/whatever in".
If it gets hacked, _then_ I can go through all of that shit. In this case we're talking about a bloody chat server for christ's sake.
[+] [-] krick|6 years ago|reply
[+] [-] _qwfv|6 years ago|reply
[+] [-] snek|6 years ago|reply
[+] [-] kart23|6 years ago|reply
But yeah, discord used to be held in high standards by me and plenty of other gamers, but they have made it clear that they cannot handle tough situations, and dont really care about their userbase. Someone should start a privacy focused phone number as a service, acces to texts online and through an app. Allow people to basically have a spam phone number that they can give out to online services, but make people pay for it obviously. Like 10minutemail but long term and for texts only.
[+] [-] gigel82|6 years ago|reply
I also don't understand the 2FA point, that says nothing about your accounts' intentions.
The account history is an interesting point... if you have a long-standing history with no reports of inappropriate actions, they should factor that in somehow into their algos.
[+] [-] Pfhreak|6 years ago|reply
> I will be communicating with a couple communities with which I'm involved to explain that I am unable to use Discord
Does this person not have a phone? 'Unable' seems like a stretch. If this person said, "I don't want to provide my phone number to Discord, so I'm going to stop using it" I'd understand.
Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
[+] [-] esotericn|6 years ago|reply
In that sense, bureaucracies are aggressive by default; that they use friendly language doesn't change this.
Imagine that one day, your car locks you out, and there's a smiley face and it says "oh hey, just call this number dude". Is that any less aggressive simply because it's 'friendly'? Of course not.
In many ways it's worse - because it's almost sarcastic (it's not _really_ that way, of course, because the customer support agent in this scenario is a robot, but it sure feels like it).
[+] [-] wowaname|6 years ago|reply
[+] [-] leftyted|6 years ago|reply
If I say "I am unable to do X" that might mean "My conscience compels me to refuse to do X" or "I literally cannot do X". Both interpretations are valid.
> Their opening email also strikes a pretty aggressive tone -- calling Discord anal, insulting, "spit in my face" then goes on to make a number of demands of the company? I'm not super surprised the customer service rep on the other side didn't go out of their way to help.
I suppose I agree with you that the email is rude. Then again, I don't mind giving out my phone number and email even though companies are using these things to track me, build a profile, and spam me. I'd rather that they didn't; I think it's corrosive behavior. But it doesn't affect me much and so I put up with it. Point is, the writer of these emails could be seen as heroic because he or she has principles and is refusing to back down (despite the rudeness).
Like I said, I have similar principles but I'm not too fussed about them. This worries me sometimes. This level of invasion of privacy isn't the hill I'm willing to die on but I hope there is a hill I'd die on. If not, I'm an unprincipled person.
[+] [-] lidHanteyk|6 years ago|reply
As a light and funny example, Discord doesn't comply with the OpenSSL license.
[+] [-] chrisseaton|6 years ago|reply
[+] [-] oceanghost|6 years ago|reply
People underestimate how hostile the internet truly is. I run a small website for a friend-- I'd say 90% of our traffic is spam/exploit fishing. I have at times blocked whole countries because we didn't have any business in that region and the abuse would not stop.
[+] [-] liability|6 years ago|reply
[deleted]
[+] [-] fbcpck|6 years ago|reply
[deleted]
[+] [-] elmerfud|6 years ago|reply
I've had my own issues with Lyft that are similar. Banned from using their service even though I've never actually ordered a ride from them. Banned upon sign up. No review, no appeal, they don't even follow their own terms of service.
I'm not one to normal advocate for government regulations and oversight, but there's way to much consumer abuse for these Internet age services. Consumer protections can't come soon enough.
[+] [-] jrockway|6 years ago|reply
There is no system of human <-> corporation trust in the real world. The best we have, maybe, is some record of how often you pay bills on time.
Tech companies kind of have to have these automated bans, because it's easy to create new identities on the Internet and the government doesn't care that you're defrauding a tech company. If you defraud a bank, the government pays the full cost of prosecuting and incarcerating you. If you spam Discord... nobody cares. It's Discord's problem, not the taxpayers' problem. So they really have no choice here. The world sucks. Get a helmet.
Having said that, banning people with a valid authentication token because of their IP address is simply the wrong algorithm. I can see why you might rate limit authentication attempts over Tor... but if you get your username/password right on the first attempt and provide the correct second factor... you should probably rate limit that valid session with a per-session rate limit key, rather than a per network endpoint key. (The era of IP address based rate limiting dies with IPv6 anyway, so they'll need a better plan someday.)
[+] [-] wowaname|6 years ago|reply
It's a shame about your experience with Lyft. I'll have to remember this if I ever need a car ride, but seeing how all of these crowdsourced transportation initiatives are popping up with similar policies and disrespect toward open platforms (locking you into their apps, for instance) it might be better for me to consider conventional transportation entirely, if I'm ever stuck without a car and I can call up a normal taxi.
>I'm not one to normal advocate for government regulations and oversight
Yeah, I'd like to say that, this is capitalism and customers can naturally choose the right choice and stop supporting unethical companies, but this is hard especially with the network effect in play with things like Discord. Everyone's on Discord (or Facebook, or Snapchat) and suddenly a person is in the wrong for "not just signing up and using it" because their friends use it just fine. If consumer protections forced Discord to release a way to self-host servers (rather than calling guilds "servers") and made Discord fix their login and anti-spam mechanisms, and allowed users to have third-party apps to access the service, then I wouldn't complain. I still wouldn't like the concept of Discord because I'm a believer in federated networking, but it'd definitely be an improvement over the current state. These consumer / online service laws would also have great effect on financial and educational websites, which have rampant anti-consumer and security issues plastered all over their Internet presence. It's really upsetting to see how many corners people are willing to cut at others' expense.
[+] [-] Judgmentality|6 years ago|reply
[+] [-] hi5eyes|6 years ago|reply
[+] [-] smitty1e|6 years ago|reply
a) Government programs are programs, written in the language English. So let's be careful what services we launch with the stroke of the Presidential pen. They could be a cure worse than the disease.
b) Whither capitalism? A remedy to consider in parallel with government regulation would be some actual competition. How do we get the functionality we want without quite so much Orwellian peril?
[+] [-] simonblack|6 years ago|reply
My last remaining social media with input from me is HN. But I accept that, sooner or later, HN will be just as intrusive, aggressive, just plain nasty and censoring as the rest of them. And then it will be time for me to "go completely dark" as far as my contribution to the internet is concerned.
[+] [-] steve19|6 years ago|reply
Does that just mean "our black box NN has banned you and we won't know or care why" ?
[+] [-] ljm|6 years ago|reply
[+] [-] buckminster|6 years ago|reply
The stuff about privacy is just nonsense from a clueless support person.
[+] [-] giancarlostoro|6 years ago|reply
[+] [-] Havoc|6 years ago|reply
...If you can't filter out your core user base with 2FA (!!!) from bullshit like recaptch then you've got real problems
[+] [-] snek|6 years ago|reply
[+] [-] nullandvoid|6 years ago|reply
Discord is a bit of a haven for spammers / scammers with my own account having received messages from several hundred random accounts ( to be fair the user is normally deleted before I read the message )
As a discussion / personal curiosity point how would the HN community reccomend discord handle this level of spam going forward?
[+] [-] giancarlostoro|6 years ago|reply
[+] [-] mostlysimilar|6 years ago|reply
[+] [-] Prohias|6 years ago|reply
[+] [-] wowaname|6 years ago|reply
[+] [-] jhgg|6 years ago|reply
Discord gets a lot of spam. We've disabled, and/or challenged millions of accounts for trying to use our platform for unsolicited spam (trying to advertise their service, sex bots, crypto spam, etc...). Our anti-spam systems continue to evolve - just as the spammers who target our platform continue to evolve. The spam attacks against our platform vary in terms of how elaborate and skilled they are. Some are very obvious in terms of a detection perspective, and some are not. As such, we use a blend of signals, heuristics and machine learning algorithms to determine whether someone is spamming on our platform. Additionally, we look at where spam is originating from as an input to our heuristic.
One such source is TOR exit nodes - and as such, our system considers content created (DMs opened, etc..) from people using TOR exit nodes with more stringency than other sources. As such, if you are using TOR, it is definitely more likely that you may get challenged either via captcha, or phone verification. The system is definitely not perfect - and unfortunately in OP's case, it flagged the account for phone verification.
To address the 3 demands in OP's email:
> 1. Discord's anti-spam isn't so anal,
I'm not entirely sure what this means, nor what actionable steps I can take. You are using TOR, a source of a great amount of spam/attempted spam on our network.
> 2. my account (and other accounts in good standing and with proper 2FA) is exempt from such checks
Having 2fa is not a strong signal as to whether or not an account is legitimate. It is very trivial to automate setting up 2fa on an account. https://github.com/pyauth/pyotp can be used to both generate and validate 2fa codes. It'd be trivial to hook that up to the registration flow to enable 2fa - and if that was a way to 'bypass' our anti-spam measures, it'd surely be exploited.
> 3. I don't have to solve a Google reCAPTCHA for an account I have taken every step to protect against bruteforcing. Using Tor is not a crime; don't treat it as such.
Malicious actors constantly attempt to brute-force logins on our system - generally from public password dumps or other leaks. A lot of these brute-force attempts come from TOR, and other public proxies. In order to avoid information disclosure, we always captcha logins from these kinds of IPs, regardless of whether or not an account exists with the e-mail in question, whether the login credentials are correct, or there is 2fa enabled on the account. So, the "captchas" you notice are not really specific to your account, but rather, the origin of the login. Using TOR is not a crime, you are right - but - it's also our responsibility to our users to make it reasonably hard for their accounts to get compromised on our platform (even if they don't employ the best security practices - and reuse their passwords across the internet.)
Finally, I'd like to address: "Discord has shown to be hostile toward FOSS and privacy for a while now" and understand why that is.
As a company, we have tried to give back to open source software (either by financial sponsorship, or by contributing our bugfixes/changes upstream.) We also attribute all open source projects we use in our software here: https://discordapp.com/licenses. Additionally, we host many open source communities on our platform: https://discordapp.com/open-source. And finally, we try to open source software we make which may be useful to the eco-system in general: https://github.com/discordapp/.
As for privacy, we've stated that we don't sell your data. When you verify your phone number, we ONLY use it for the purpose of anti-spam, and it is never shared with anyone (aside from twilio, which sends you the SMS), especially for the purpose of financial gain. We're pretty up front about how we make money (freemium model: https://discordapp.com/nitro, in-app commerce: https://discordapp.com/sell-your-game). We provide privacy controls: https://support.discordapp.com/hc/en-us/articles/36000410991..., and allow you to request an export of all the data we have stored on your account: https://support.discordapp.com/hc/en-us/articles/36000402769...
I know this reply won't satisfy everyone, but hopefully, being truthful and upfront about this will help!
[+] [-] xBytez|6 years ago|reply
3rd party clients (eg. Ripcord) that were shared on reddit were quickly shot down with a We don't allow or support 3rd party clients or modified versions of the client.
Do you actively hunt for Discord users with a 3rd party client or is it more of a "we don't hurt you unless you abuse our API"-deal?
[+] [-] ajfjsiqjwisjais|6 years ago|reply
Solution: add a checkbox "disable account security measures", so a user who doesn't want CAPTCHAs when logging into their account doesn't see them. It would have a warning so any user selecting it would know what they're doing.
[+] [-] wowaname|6 years ago|reply
>anti-spam
My impression would be that an aged account with a good reputation would be held to much less scrutiny than a new account, regardless of my method of accessing the service.
>regardless of whether […] there is 2fa enabled on the account
Clue me in on this one because I do not understand how a bot surfing for accounts would be able to guess this code in a configured number of attempts. Many login forms have a number of tries before the account is temporarily locked and the user is notified of a potential breach. This is no substitute for a good password, but it's one additional safeguard, and it's one that doesn't depend on a nonfree CAPTCHA service. I'm trying to de-Google lately and I've been pretty successful; one of the few services I use anymore is GDrive and that's only because I have unlimited storage and GPG at my disposal. Discord isn't owned by Google, so my decision to abandon Google's services shouldn't have weighed in on my decision for third-party services.
>it's also our responsibility […] (even if they don't employ the best security practices[…].)
I understand, but there's a line one has to draw for things like this. I'm not a fan of password requirements but employing a minimum password length (if Discord doesn't already do so) would be a good start. As a public service provider, I understand the issue with compromised accounts, and how they can be used for spam and harassment, but I still believe there are smarter ways to go about this than punishing people for using the wrong IP address to log in.
>hostile toward FOSS
>we have tried to give back to open source software
That doesn't really mean much when Discord openly detests third-party FOSS clients and will not make its server available at least in a similar capacity to GitHub's self-hosted solution (I don't think GitHub is appreciative of FOSS either, and they prefer to capitalise from the walled garden they've created rather than truly express the libre ethic, but hosting servers has been a long-requested feature especially from established communities who don't wish to rely on Discord's infra).
>and privacy
>we've stated that we don't sell your data
I'm a cryptoanarchist. If an organisation has my IP address, they have my IP address. If they have my phone number, they have my phone number. Discord may have my intentions at heart, its servers may be kept updated and secure from most threats, but Discord is a high-profile platform now, and we're all no stranger to hackers leaking database information from a zero-day or some other oversight. I cannot trust words and policies, I can only fully trust audited code and myself. So, no, in this light Discord does not appreciate the concern for privacy if it does not make exceptions for verifying accounts by other, more private means.
I wish I could give an answer on how to moderate a platform without negatively impacting people, but to reuse your words, there isn't an answer that satisfies everyone, and there will always be shortcomings for any solution, whether it's a setup cost or a long-term conditioning of users to create better passwords. In fact, I talked about passwords specifically in another blog post [1] so I can only hope they are eventually phased out for something less prone to user error. Despite what we're stuck with, I do genuinely believe Discord could tune their spam and login mechanisms such that false positives are kept to a minimum.
[1] https://wowana.me/blog/are-passwords-the-right-solution.xht
[+] [-] Havoc|6 years ago|reply
This surge in adopt is pretty classic. It feels artificially hot / running at too high temps if that makes sense.
I don't see a superior product so don't see this crashing, but Discord is going down only from here
[+] [-] buboard|6 years ago|reply
[+] [-] mieses|6 years ago|reply
[deleted]
[+] [-] rpgraham84|6 years ago|reply
[deleted]
[+] [-] wowaname|6 years ago|reply
[deleted]
[+] [-] pfisch|6 years ago|reply
2)You use proxies/tor which probably makes your concerns the concerns of 0.01% of the user-base.
Why should a company whose primary motive is to be profitable go so far out of their way for you, a non-paying client whose concerns represent basically none of the legitimate user-base?
[+] [-] wowaname|6 years ago|reply
[+] [-] yjftsjthsd-h|6 years ago|reply
You seem to be implying that they are not a legitimate user. What makes them any less legitimate than everybody else?
[+] [-] throwaway2048|6 years ago|reply
[+] [-] ricardbejarano|6 years ago|reply
There are legitimate reasons to block TOR traffic, and even if there where none, they'd still have the right to block anyone of their users.
There are plenty of alternatives, simply remember not to choose one ran by a private company again.