Fix the ReadMe: "there has been no instances of Discord banning people for just using modified clients" seems to be wrong

[KOLANICH]

See https://github.com/Bios-Marcel/cordless

Of course it can fit into "API abuse" and "strange requests", but let's not hide heads in the sand:

1. Discord is an unfriendly company and feels like it is happy to monopolize both client and server side;
2. it is just not determined enough to cover all the users using unofficial clients. Though it is surely possible. For example it can be possible to update the clients constantly with the versions specific for a concrete user, and verify if a user uses exactly that version, and if he doesn't, then just block him.

The proper long term solution is to abandon Discord and use something decentralized/federated. Using Discord is just increasing value of their solution over the competing ones.

[rushiiMachine]

the cordless author didn't take the proper precautions when developing making weird requests on DM create is only a recipe for disaster as of now, opencord fully emulates all implemented API requests

we haven't decided whether or not to add those risky features to opencord yet, but our statement in the readme is correct as of now with those conditions applied using an alt account is recommended after all

[KOLANICH]

the cordless author didn't take the proper precautions when developing making weird requests on DM create is only a recipe for disaster as of now, opencord fully emulates all implemented API requests

I know, it is written in the ReadMe.

The problem is not with "weird requests". The problem is the company does blocking for "weird requests". It means the intent is to block everybody who uses anything but the official client. It means that anytime a feature can be added into the official client that

• can distinguish the ones using the official client from the ones using a non-official one or an outdated one;
• in order not to block the users of the legacy ones the update mechanism can be added, and updates can be created and published automatically frequently enough to exceed the capacity of authors of this project to reverse engineer them;
• can be problematic to reverse engineer and apply them automatically.

This makes this project position very vulnerable. In long term it is better to persuade people using Discord to leave it (and encouraging people to use Discord by providing an alternative client does the opposite, it increases the value of Discord platform) for a more friendly platform rather than workaround the "defense in depth" by Discord Inc.

[X1nto]

From my POV, the problem only occurs if 3rd party clients don't mimic the stock with 1:1 accuracy, which should be the only way to make those 3rd party clients even possible. OpenCord aims to provide that seamless API interop, meaning the servers will think that the requests are coming from the official clients. However, no FOSS implementation is perfect, which means that there might be cases where OpenCord might fail to accurately mimic the stock client. This is why we have a disclaimer in the README, which is our way of telling that we, the developers, are humans and not robots and we can make mistakes when developing applications that are as complex as OpenCord. Every new feature of OpenCord is heavily tested on our alt accounts before it even makes it to a commit.

TLDR: Discord only bans when they detect unofficial clients; OpenCord aims to mimic the stock perfectly, making client detection nearly impossible.

[X1nto]

The README clearly states the same:

What they do automatically ban for, is API abuse or strange requests. Therefore, OpenCord takes great caution in emulating official clients exactly

So I see no reason to update the README when it's already explaining everything in detail

[KOLANICH]

the problem only occurs if 3rd party clients don't mimic the stock with 1:1 accuracy

Which can be made impossible in practice for open-source entities without enough manpower / AI to rapidly reverse engineer every new version (and users of the versions that are not the latest ones can be banned). Which can be made kinda impossible at all, if Discord inc. gets determined enough to kill alternative impls to be ready to keep users without a TEE away (AFAIK SGX got dropped in the latest consumer-level Intel CPU (but in older ones it is already here for a long time), AMD TEE is also already here, future of Microsoft Pluton are unclear, and in some mobile phones TEEs are awailable, so if they are determined enough to keep users of alternative clients away at the cost of sacrificing some amount of conformist users, they can do it).

So IMHO a warning needed that this status quo can end anytime when Discord Inc. decides to do it, and that users should migrate to free ecosystems, because when D. I. does it, it will be too late for them if they are not prepared in advance.

[X1nto]

Which can be made impossible in practice for open-source entities without enough manpower / AI to rapidly reverse engineer every new version (and users of the versions that are not the latest ones can be banned).

OpenCord doesn't need to reverse-engineer every new version because it can still act as an old version of the client. Users that are not on the latest versions will never be banned, and here are the reasons why:

1. If Discord just starts banning users who haven't updated to the latest version of the app, the community will go into chaos and Discord will definitely lose many investors.
2. There are many factors as to why a user might not update, for example, low storage, old OS version (As in, the new Discord app doesn't support that old OS version anymore), and even UI and the React Native chaos.
3. They wouldn't want to ban everyone who doesn't use their official client because the unofficial/modded client userbase is pretty huge. Even on the Desktop alone, at least 1 in every 3-4 users has a modified Discord client. They might as well just ban everyone if they want to lose their potential Nitro buyers at that point.
4. And please, are you really comparing Discord to Microsoft, AMD, and Intel? Discord is nothing compared to the mega-corporations listed above, they roughly have money from all the investors (that is, if they're not selling users' data, which they definitely are but let's pretend they're not).
5. The README clearly encourages users to only use their alt accounts if they want to test OpenCord.

[KOLANICH]

are you really comparing Discord to Microsoft, AMD, and Intel

No. TEEs are technology provided by chips vendors (Intel, MS, AMD, Samsung, etc.) to software developers (Alphabet's Widevine DRM is the most well-known example). In order to use the technology one needs a contract with the vendor.

If Discord just starts banning users who haven't updated to the latest version of the app, the community will go into chaos and Discord will definitely lose many investors.

Every banning is a tradeoff. And it has enough knobs to control false positive vs false negative rates. They can introduce auto-update feature into clients. A server sends a challenge, a client uses the secret hardcoded into it to generate a response (an unique client can be generated for each user, the code within client can be obfuscated making automatic extraction of the secret difficult, the secret itself can be generated by code and can be unavailable as a sequence of bytes). The server checks responses against the secrets from previous versions, if the response matches one of N expected from the previous versions, it requires the client to self-update.

Initially for upgrading the users not having the feature the server can contact them via a bot and demand upgrade. But there won't be many of such, by default it auto-updates AFAIK (I don't use Discord myself and have never installed it, I just was considered starting using it because some of the people I know are using it; after I heard of them banning users for using the clients they can detect as unofficial, I have decided I won't use them).

After some time the majority of users of official ones will update to clients that use the challenge-response-based auto-update mechanism.

After the mechanism is implemented, one can do the following:

1. if a user doesn't immediately update to the newest official client when requested by the server, increase the counter
2. when counter reaches threshold - ban the user

Official clients will obey and will have counter of ~0. Sometimes users can have issues with network, but if the threshold is high enough (Discord can conduct experiment on its users en masse to determine the right threshold), those users will be paroled. Unofficial ones will not obey (because it defeats the purpose of using unofficial ones) and will have the counter large because the server will continue demand proofs and lack of a proof within a sensible timing window (yet another knob) can be considered as a failure.

community will go into chaos and Discord will definitely lose many investors.

Isn't banning users of unofficial clients not enough chaos? It seems they don't care of their reputation. They are big enough so a lot of people use it by now.

There are many factors as to why a user might not update

Why should these users be the target audience of Discord Inc.? Lot of software devs choose to just raise system requirements. It just depends on how much users they can afford to lose.

They wouldn't want to ban everyone who doesn't use their official client

It is already known they ban. Even one case of banning for "inappropriate usage of API" is enough to ruin a reputation. If the reputation was fine, there would have been no such a paragraph in the ReadMe at all. For example in the ReadMe of IRC or XMPP clients there are no paragraphs about banning of users of those clients for using them. The mere presence of this paragraph is a telltale indicator that not everything is fine. Let's not pretend that everything is fine.

The README clearly encourages users to only use their alt accounts if they want to test OpenCord.

It should encourage them to leave Discord and persuade others to leave it in order not to create incentives for other users to join it. And I guess that an alternative backend for Discord can be created, that can be controlled by people, who won't ban users for usage of alt clients.

[rushiiMachine]

It should encourage them to leave Discord and persuade others to leave it in order not to create incentives for other users to join it.

I for one, have no interest in decentralized social media that no one really uses. If you haven't noticed yet, this is a OSS client for Discord, not Mastodon or whatever.

After some time the majority of users of official ones will update to clients that use the challenge-response-based auto-update mechanism.

It is possible to setup an automated test that runs for every new RN bundle to test for unique API changes. While I don't think Discord is going to go in that route considering the huge portion of using them (even their own employees use client mods!) you do have a valid concern.

What doesn't really make sense through is why they would do it in the first place, they wouldn't earn any money doing it, nothing except for throwing their PR in a dumpster fire.

[X1nto]

No. TEEs are technology provided by chips vendors (Intel, MS, AMD, Samsung, etc.) to software developers (Alphabet, etc.). In order to use the technology one needs a contract with the vendor.

Fair point, but why would Discord ever introduce TEEs? It's a goddamn social media app, not a SoC manufacturer.

Every banning is a tradeoff. And it has enough knobs to control false positive vs false negative rates. They can introduce auto-update feature into clients. A server sends a challenge, a client uses the secret hardcoded into it to generate a response (an unique client can be generated for each user, the code within client can be obfuscated making automatic extraction of the secret difficult, the secret itself can be generated by code and can be unavailable as a sequence of bytes). The server checks responses against the secrets from previous versions, if the response matches one of N expected from the previous versions, it requires the client to self-update.

They can't introduce auto-update to the old clients now, can they? OpenCord will just base on the clients which don't have any security enforced until the dev team figures out how to bypass those.

Initially for upgrading the users not having the feature the server can contact them via a bot and demand upgrade. But there won't be many of such, by default it auto-updates AFAIK (I don't use Discord myself and have never installed it, I just was considered starting using it because some of the people I know are using it; after I heard of them banning users for using the clients they can detect as unofficial, I have decided I won't use them).

After some time the majority of users of official ones will update to clients that use the challenge-response-based auto-update mechanism.

After the mechanism is implemented, one can do the following:

1. if a user doesn't immediately update to the newest official client when requested by the server, increase the counter
2. when counter reaches threshold - ban the user

Official clients will obey and will have counter of ~0. Sometimes users can have issues with network, but if the threshold is high enough (Discord can conduct experiment on its users en masse to determine the right threshold), those users will be paroled. Unofficial ones will not obey (because it defeats the purpose of using unofficial ones) and will have the counter large because the server will continue demand proofs and lack of a proof within a sensible timing window (yet another knob) can be considered as a failure.

That is a massive overengineering for something that will only ban a relatively small portion of users. And what if the official client has a bug in it? What about Discord public betas which are tremendously flawed by account-breaking features? There have been many cases of Discord Android just banning people and/or breaking the users authentication because of bugs and glitches.

Isn't banning users of unofficial clients not enough chaos? It seems they don't care of their reputation. They are big enough so a lot of people use it by now.

They are not banning unofficial clients, but rather just weird requests to their API server. You don't necessarily need a 3rd party client to use basic cURL commands to send "weird" requests. We don't know why they gatekeep some endpoints like users/@me and channels/@me but that's not really important at all. If they were really against 3rd party clients, all of the endpoints would resolve in account bans/locks.

Why should these users be the target audience of Discord Inc.? Lot of software devs choose to just raise system requirements. It just depends on how much users they can afford to lose.

I'm not saying they are. I'm just saying that there's plenty of reasons why one might not update their apps and banning them is NOT a solution to fix that.

It is already known they ban. Even one case of banning for "inappropriate usage of API" is enough to ruin a reputation. If the reputation was fine, there would have been no such a paragraph in the ReadMe at all. For example in the ReadMe of IRC or XMPP clients there are no paragraphs about banning of users of those clients for using them. The mere presence of this paragraph is a telltale indicator that not everything is fine. Let's not pretend that everything is fine.

No one is pretending that everything is fine. The only thing README states is that Discord bans for "weird" API requests, which OpenCord tries really hard to avoid. But again, nothing is perfect, so that's why it recommends using alt accounts if you're really worried.

It should encourage them to leave Discord and persuade others to leave it in order not to create incentives for other users to join it. And I guess that an alternative backend for Discord can be created, that can be controlled by people, who won't ban users for usage of alt clients.

That's just Fosscord and Revolt. We're not going to tell anyone to use alternative backends. OpenCord is a Discord client and Discord client only.

[X1nto]

The best part about this conversation is the following:

I don't use Discord myself and have never installed it

I think we're done here.

[NurMarvin]

Discord does not care about people using custom clients and bans related to that are always for breaking other parts of the Terms of Service, think message loggers or detected API abuse as others have already mentioned.

Bans that were issued from a false-flag by Discord's anti-abuse system due to someone using a custom client are almost always reversed, unless that person is found to be breaking the ToS in other ways as well.

Discord is already a big target for scams with all the measures they've taken against it. Now imagine how much worse things would be if they didn't have those measures in place. Allowing custom clients to bypass the anti-abuse in any way would let bad actors just use the same bypass. Ultimately, unless a client is able to accurately replicate the official client's requests, the risk of being banned is unavoidable.

[KOLANICH]

Discord is already a big target for scams

It's not a valid cause for banning people for using API. If certain endpoints are not to be used by ordinary clients, they should just require an API token with the certain permissions to be used. If they are to be used, then peoples' accounts shouldn't be banned for using them.

Scams should be fought not by API usage signatures, but by raising awareness of people communicating to potential scams and by banning scammers, but not the people who use API and don't do scam. I have no ready recipe of fighting scam, but fighting API users, while real scams can use official clients seems to be a move not targetted to fighting scam.