[userbinator]

Currently, Discord doesn’t appear to validate on their servers whether the stream being transmitted truly adheres to the criteria of a non-subscribed user

I wonder who thought that would be a good implementation. Client-side validation seems like a very novice mistake.

[ivraatiems]

I suspect it's less they thought "this is a great implementation" and more "if people figure out how to break it, we'll patch it." This is the first time in several years of using Discord that I've heard of anyone even trying to circumvent their access/permissions structure for Nitro, so I see no reason why they'd bother unless this was widespread.

[aeturnum]

Once you think about the tech I think there's an obvious steady state:

- It's cheaper not to check on every call sever-side and the people who are most likely to dodge in this way are also not likely potential sources of revenue.

- you shouldn't ban every person who tries this. They will gum up support and, on average, won't even be trying to earnestly get features for free.

- Also people who exploit the obviously vulnerable account interfaces may do other things that clue you in to vulnerabilities you care about.

It seems like it's a situation where you can let people fiddle around with this a bit (a few hours, a few days) and ban folks who do it too long (a month?). People who use it heavily are unlikely to be real revenue prospects and, at the end of the day, it's an engagement funnel. People rarely use hacks on a platform they aren't using.

[theshrike79]

And banning/punishing in waves is better than doing it immediately.

You gather a bunch of offenders for weeks or months and then one day they just go poof and everyone knows why.

This way you can weed out the ones who were just experimenting (few attempts) from those who use it regularly.

[bentcorner]

> one day they just go poof and everyone knows why.

I thought the point of ban waves was precisely because there's no direct cause-and-effect. E.g., if you perform an exploit and get banned immediately, you know that the system can detect your exploit. If you get banned a month later, it might have been your exploit or something else you did between then and now.

This reduces the selection pressure on black-hats to produce ban-avoiding exploits.

[riversflow]

Yeah, this isn’t a (multiplayer) video game cheat where users are actively harming your product by existing. This is a loophole that allows users more features than they pay for. If they do a ban wave off this, it won’t be good for business. Discord is a social media company, they live and die by the community.

[rollcat]

Most people don't realise you can plug almost any HLS URL into ffmpeg and trivially rip the stream. Most live streams don't bother with DRM because it's expensive, fragile, and user-hostile. It's often difficult enough to get the motion picture to display properly at all, let alone with acceptable resolution, latency, and artefact-free. The smart companies prioritise UX over policing the "high tier" features.

[Aulig]

Modded discord clients have been around for quite while. But indeed, the threat of being banned deters most people and if just a handful of people use a modded client discord doesnt care probably.

[SSLy]

There are even people like me, who have Nitro and still use modded client for different reasons.

[rvnx]

Being able to delete your previous messages in bulk is a very good reason for example,

it's borderline (or completely ?) illegal to threaten users to ban them if they choose to use their right to mass-delete their previous messages.

[meowface]

Yeah, I think it's one of those things where Discord reserves the right to ban anyone using automation on their user account, but in practice they don't take action unless you're clearly doing something malicious or annoying. At least as far as I know.

[t0bia_s]

How can I delete previous messages in bulk on Discord?

[super256]

https://github.com/victornpb/undiscord

[WhrRTheBaboons]

illegal in EU (unless they provide some other option to comply with GDPR)

[p1necone]

I use a modded client to remove the minimum window size limit.

[chefandy]

> I wonder who thought that would be a good implementation. Client-side validation seems like a very novice mistake.

As someone who only sends up PRs containing complete features in their final state implemented exactly as I hoped, I have no idea.

Unrelated aside: just started my fifth new job this month. I never seem to jibe with project managers.

[brookst]

People didn’t get your joke, but I think it’s very funny.

[stavros]

Five jobs in a month? At least you interview great!

[lelanthran]

Meh. I had 5 jobs last month alone.

Of course, I am a contractor...

[paxys]

If everywhere you go smells like shit...

[nextlevelwizard]

Considering how loosely people (especially kids) these days spend money, maybe this is good enough? How many people who understand how to do these hacks and would be willing to pay for Nitro are there? I am sure there are thousands of not tens of thousands of users for all these different Discord client mods that enable all or some of the Nitro features, but would there be any actual revenue from fixing this?

In my opinion paying the $10/mo (if I needed/wanted the features) is way less hassle than trying to keep on top of the mods, which probably break at every Discord update, and then hope the maintainers don't slip in exploits.

[foepys]

When I was young I didn't care how much hassle I had to get through to get stuff I wanted for free. Mostly I didn't have money as a 12 y/o.

[nextlevelwizard]

You either didn't read what I wrote or misunderstood.

My point was exactly: how many people want to go through all of this AND would instead pay IF this route wasn't available?

a 12 year old without money won't pay for your service no matter what you do, so does it matter if you let them "hack it" for free?

[MRtecno98]

Yes because you spend more money providing him with a better service(e.g. 60fps streaming which is noticeably more expensive to run)

[xethos]

What happens if they turn 25 and have grown to expect the nice features? They have more money, less time, and can be a beacon for their peers of "James used to get it for free, now even he pays"

I'd consider it similar to Adobe's old model (easy to crack, but converts to paying customers in a few years)

[dejawu]

It's also possible to see the names, topics, and timestamp of the last message of hidden channels through their API. The channels are only hidden on the client-side. (To be clear, it's still not possible to view the contents of these channels.)

[didntcheck]

And also who is in the channel (more generally, you can see the permission overrides on all channels)

It's been a long time since I did any Discord API work but I had assumed they would have fixed this by now. I realise it makes things simpler and more cacheable, but IMO it's a critical and inexcusable user privacy issue to have this behavior with no indication to ordinary users that their hidden channel is in fact quite visible to savvy users. This would be like Google Drive allowing anyone to query filenames (just not content) of private folders

[rise-remold]

It's because this isn't a Discord API component, this is their "voice" server of which they have hundreds deployed across the world.

Their voice server only checks with the API to verify if you're allowed to join. Beyond that, it becomes a one-to-many packet broadcaster.

[imtringued]

I don't know about "voice servers" but if you use something like coturn, there is no way to finely tune this, because it is just a generic "gateway" that is relaying packets to bypass NAT. You could try to connect to the stream and then check the stream quality after the fact but if there are false positives you are mistreating paying customers, which you certainly don't want to do.

[simmerup]

Discord is doing so well it's hard to say whether this is actually a problem for them or not.

Maybe focusing on this security would have stopped them performing so well

[intelVISA]

> Discord is doing so well

It's remarkable how much data they are extracting, if the average user knew there would likely be multiple scandals or legal proceedings

[didntcheck]

Can you elaborate? What data are they extracting?

[theshrike79]

Most likely OP didn't grow up in the age of IRC, where nothing was ever encrypted and the server admin could see everything.

People just didn't share illegal, confidential or secret things with their own name and IP address or counted on the server admin not caring.

[GreenWatermelon]

Personally, I don't care how much usage data they collect as long as they're not selling that data to third parties, or attempt to show me ads.

Of course there's the threat of data leakage, buuuut it's risk I accept, when it comes to my mundane usage of discord.

My main gripe with data collection platforms is how they turn every platform into an ad board. Chief among my disappointments is windows. It's so thoroughly shit now I can't even consider myself a user. I can't really call it an OS anymore. It's something else... An advertisement platform built on top of an os.

[izzydata]

Who says they aren't selling the data? They are probably selling it to every company trying to do a language model at the moment.

[theshrike79]

Using discord to teach bots is like doing it with twitter went. It'll go real edgy real fast.

How people communicate on Discord isn't something you want to teach any AI you intend to use publicly =)

[Dalewyn]

>Discord is doing so well

Are they? They try to sell me Nitro at least once every month, which only gives me the impression that they're desperate to increase their revenue stream to make ends meet.

[madeofpalk]

Selling things is usually how you make money, no?

[squeaky-clean]

With an internet business it's usually with ads

[labster]

That much nitro is bound to be bad for their engines.

[fomine3]

Once per month is very few times.

[Humboldtsnee]

My podcasts try to sell me stuff 5 times an hour, radio even more. Being nagged to pay for a service you use once a month is basically silence.

[sentientslug]

It seems like you fundamentally misunderstand how advertising works.

[Jnr]

It doesn't really matter if they check it or not, I had Nitro for a year during pandemic because I thought I could stream in higher quality. In reality the quality was just as bad, and sometimes video looked very pixelated.

I have gigabit connection at home and a good GPU that does the encoding but I guess Discord doesn't have any servers near me (~1900km to Rotterdam) and it might be prioritizing low latency. The experience was terrible so I cancelled the subscription. All the other paid features seemed useless to me.

[ThatPlayer]

I believe Discord's streaming limits itself based on the connection to your viewers as well as their decoding capabilites, because Discord itself doesn't do any transcoding.

For example with AV1, if someone joins without an AV1 decoder, it fallbacks to h264: https://twitter.com/gerdelgado/status/1618285964308402180

[Thaxll]

Funny enough, Discord uses i3d which is a Rotterdam based compagny, I'm pretty sure they have servers close to you.

[Jnr]

That is the issue, I know that servers in EU are in Rotterdam, that is why I mentioned it, but it is far away.

[superkuh]

Like most corporations Discord doesn't care to make decent software. Instead it just maintains a team of lawyers to fix "problems" with it's implementations.

[zebracanevra]

Non-nitro users can stream in 1080p60, all they have to do is join a "boosted" server.

Which is very easy to do - you can find tons of freely joinable 'official' servers for games, which are boosted, and then join one of the available voice channels.

[nonima]

>all they have to do is join a "boosted" server.

I didn't think of this thank you! I wanted to stream in my friend's server for my friends to watch but his server isn't boosted, but now I'm gonna join a random server and stream for strangers instead!

[Jerry8538]

Have you ever noticed the member limit on voice channels? Presumably you join one that lets only you and your friends join the vc.

[Thaxll]

Because this is way more complicated than checking that your CRUD REST API is valid.

We're talking bandwidth here.

Checking for upload is not the issue imo, the issue is that you can watch a 1080p stream a non nytro user, if you don't check it at the upload stage then you should make sure that people can only watch 720p streams.

[itomato]

The use of Discord itself could be argued as “a very novice mistake.”

[LordShredda]

Discord has a habit of making it work, then fixing it later. Additionally, how many people are going to bother to pirate themes and high quality screen sharing?