I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.
I really dislike the way they try and play this down in the doc:
Maybe uncharitable, but it seems like BotGhost comprehensively doesn't take security seriously. Not only were there bad vulnerabilities, but they didn't have the logging (or didn't use it) to see who was affected; didn't want to roll keys; didn't want to announce; and didn't even have their own bots use their own security features. So yeah. I'm a bit more sympathetic if Discord decided that BotGhost in particular wasn't going to be using Discord's platform any more. Because I'd guess the probability these are the last of BotGhost's serious vulnerabilities to be about 0%.
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
I've often thought about the amount of data that these bot services must have access to (they could log millions of private channels), data thats silo'd away from search engines/indexers and could be pretty valuable to sell to someone training an AI model, or doing other things.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
After Reddit's API shutdown the writing was on the wall. Services like Reddit and Discord are huge data troves, and now this data has a concrete $$ value. Offering unrestricted API access means that third parties will store and sell this data. So shutting them down (and monetizing your data yourself) is an obvious decision. Slack recently changed its ToS to disallow this as well - https://www.reuters.com/business/salesforce-blocks-ai-rivals....
Discord locked down the ability of bots to read message contents back in 2022. For bots used in over 100 servers, doing so now requires explicit approval from Discord (in addition to the standard approval the server owner would need to give). For most bots, the rest of the bot API is rich enough for this to not be an issue.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
To read message archives or to read messages in realtime? Because I was working on a sideproject that required monitoring the messages in a channel, not just slash commands.
Some of them are absolutely up to dodgy stuff, they have access to countless private chats in servers where the users/admins are unaware messages are being sent to a third party. I wouldn’t be surprised if some of these bots are ran by state actors.
This isn't Discord doing this out of the goodness of their privacy-concerned hearts. They'll eventually try to do a Salesforce-Slack kind of play here by preventing external entities from monetizing on their platform.
Tech will turn into a casino where the house (aka the platform) always wins.
One of the things I found surprising is that many of Discord's bot permissions are not scoped to servers at all. I've been asked to authenticate with a bot service for one server numerous times that requests access to things pertaining to all servers I use, and that seems very wrong.
Yup. I ran a bot a long time ago and it was pretty trivial to quietly scrape the entire history of any server it was in.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
Tokens got leaked on BotGhost and BotGhost straight up REFUSED to instruct their customers to rotate their keys. I am with Discord, as BotGhost has shown to not be able to securely store keys
> At the same time, I explored how to securely reset all bot tokens.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
There are lots of details about the technology, license agreements, service history, comparable platforms, and whatnot, which all form reasonable support for botghost.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
And they should treat them like it. Adversarial interoperability is the name of the game now. If they need little robots typing on real phones, so be it.
yup, agreed- worth going over the non tl;dr (sufficient to say the tl;dr misses some good juice, but thats what the page in full is for).
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
> NEITHER DISCORD NOR ITS AFFILIATES, SUPPLIERS, OR DISTRIBUTORS MAKE ANY SPECIFIC PROMISES ABOUT THE APIs, API DATA, DOCUMENTATION, OR ANY DISCORD SERVICES.
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
It's also funny how selective-enforcement the discord TOS and dev policies are -- they turn a blind eye if not even encourage third party/modified first party clients "because retro" / "haha discord on windows 95 funny" (and even encourage it in some cases), yet those modified clients are explicitly banned in the TOS.
> If BotGhost is forced to shut down, your bot will stop working. Your settings, custom commands, custom events, market commands, market events and any work at all hosted on BotGhost will be lost. Because BotGhost does not produce code, there is no way for us to export your bot's configuration.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
What they mean is "the 'no-code' logic for your bot is stored in a proprietary format that's only understood by our software, and we don't want to release our software publicly, nor do we want to document the format."
An end user creates an application in Discord. They create a bot within that application, and Discord generates a token for the bot. They then copy the token into BotGhost, and BotGhost "operates" the bot. The application itself is still owned by the user, and BotGhost has no access to it.
Yeah, if you want to pump oil, you better also build your own railways to distribute it, because you won't like what Standard Oil will charge you for their trains.
>Yeah, if you want to pump oil, you better also build your own railways to distribute it
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
Unless you're prepared for the business to last an unknown limited amount of time.
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
They're distributed through the stores, but not built on top of them, as is evidenced by the fact that you can distribute the same app on both platforms.
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
These companies charge money for their services and have competitors. AWS’ entire business models is providing developer services, and if I don’t like their offerings I can go elsewhere.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
The problem with building everything without dependencies on other peoples' platforms is that it's a lot of work to build your own chip fabrication machines when you just wanted to sell chat bots.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
Playing devil's advocate a bit, if this service hosts a Discord bot you create for you, that means it uses the bot token, right? The service has to store and secure hundreds of thousands of tokens, if all of those get breached/leaked, an attacker can do a lot to a lot of Discord servers assuming it has the requisite permissions.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
Discord holds user session tokens right? If those tokens are leaked then attackers will have access to Discord user data. Seems like Discord should be shut down.
Discord has the plaintext of every single message ever sent via Discord, including all DMs.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
General PSA: in most situations these things like "terms of service" and "breach notice" have no legal effect. (I am not a lawyer and this is not legal advice)
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
Discord has been against botting personal accounts for a long time. If you want to automate, you make a bot account and ask the server permission to join with it.
You can teach someone how to rent a vps and run a docker image with one 10-minute youtube video. Then they can use the drag and drop editor and run the bot themselves. If they don’t want to pay for hosting that’s too bad. A vps to run a bot will cost a couple bucks a month.
Oh come on. I'm sure they care about the users, and they were also hoping to build a business. Why the hostility? You don't have to kick them when they are down.
This same story plays out with every monopoly platform e.g. Apple.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
The biggest problem is that discord has no way to authorize these platforms without the user giving them credentials. It’s really stupid because it would be so easy to fix.
I think that's because Discord doesn't want them to do it this way. I suspect Discord wants BotGhost to operate their own bot with their own credentials, and have users invite the bot to their servers (similar to how many existing bots work). BotGhost could tell which no-code workflows apply based on server and/or channel ID.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
Graph like coding environments like this are a form of code though, so I can definitely see the argument that they just are hosting the users bot for them.
Agree! I finally set up my own NodeBB forum for my app support and I'm very excited to move in this direction. It was a nicer experience than expected.
Reddit is more evil than Discord IMO - they did this years ago, tried to shut down all bots and unofficial apps, and they heavily manipulate consensus opinion, which Discord doesn't as far as I know.
I can't think of any way to look at this where Reddit is the lesser evil. I respect the position but I don't understand it. Reddit and Twitter reached the floor of enshittification with their respective 2023 actions. Discord and others may follow the precedent and get there, but my usage hasn't been affected yet. The Discord official client, unlike Reddit/Twitter, is still ad-free except for the occasional icon highlighting their "Shop" tab.
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
I'm building a lot on discord right now, I like it but I keep getting scared, then I think, eh, irc servers could have gone away too I suppose, in fact they did, much was lost. I'm sure I'm missing a lot of nuanced thinking in this though.
The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature. Sure you might use IRC for chatting and have some bots around that - but typically your long term storage of information would have been handled in something like a forum, website, email list, file repository, etc - so that even if an individual IRC server went down it wasn't a big deal to move along. IRC was/is less a platform and more a protocol.
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
> The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
Indeed. Discord have really nailed the... ircd, if you will, for what I use discord for (community building in non-technical abstract user bases), it's perfect, terrifying, but perfect.
There's one thing missing from the "What you can do", although I admit it's a tough call for anyone not located in SF: actually go on the street and physically protest at the office. It's easy to dismiss blog posts, youtube videos or social media shitstorms, we've all grown accustomed to the noise.
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.
It feels to me like Discord is speed-running the developer relations playbook that we've seen happen over a longer timeframe with large platforms like Apple and Google. This is the second high profile incident like this in recent weeks IIRC.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
Discord has a monopoly on access to its users, and so does not need to concern themselves with making it attractive to build there: the users are the draw, not the developer-friendliness of the platform. BotGhost should seek anti-monopoly enforcement; having EU users file the appropriate EU claims to appeal for Discord to be subjected to the DMA would be far more a threat to Discord’s monopoly than user support tickets are likely to persuade them.
I was under the impression that writing a third party client was against TOS, and don't you have to write a client to get your bot to interact with the server?
> A recent security breach on our platform brought BotGhost to Discord’s attention.
The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY
I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.
I really dislike the way they try and play this down in the doc:
https://update.botghost.com/#-summary-of-the-breaches-
Maybe uncharitable, but it seems like BotGhost comprehensively doesn't take security seriously. Not only were there bad vulnerabilities, but they didn't have the logging (or didn't use it) to see who was affected; didn't want to roll keys; didn't want to announce; and didn't even have their own bots use their own security features. So yeah. I'm a bit more sympathetic if Discord decided that BotGhost in particular wasn't going to be using Discord's platform any more. Because I'd guess the probability these are the last of BotGhost's serious vulnerabilities to be about 0%.
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
That logging you want (every command and response) would have been a huge GDPR violation.
I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?
3 replies →
The video is linked in the article, amongst the response, timeline and further fixed exploits.
But it is correct that the article does not reiterate the technical details of the exploit.
I've often thought about the amount of data that these bot services must have access to (they could log millions of private channels), data thats silo'd away from search engines/indexers and could be pretty valuable to sell to someone training an AI model, or doing other things.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
After Reddit's API shutdown the writing was on the wall. Services like Reddit and Discord are huge data troves, and now this data has a concrete $$ value. Offering unrestricted API access means that third parties will store and sell this data. So shutting them down (and monetizing your data yourself) is an obvious decision. Slack recently changed its ToS to disallow this as well - https://www.reuters.com/business/salesforce-blocks-ai-rivals....
Discord locked down the ability of bots to read message contents back in 2022. For bots used in over 100 servers, doing so now requires explicit approval from Discord (in addition to the standard approval the server owner would need to give). For most bots, the rest of the bot API is rich enough for this to not be an issue.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
To read message archives or to read messages in realtime? Because I was working on a sideproject that required monitoring the messages in a channel, not just slash commands.
2 replies →
this is good to know! thank you for the info
Some of them are absolutely up to dodgy stuff, they have access to countless private chats in servers where the users/admins are unaware messages are being sent to a third party. I wouldn’t be surprised if some of these bots are ran by state actors.
This isn't Discord doing this out of the goodness of their privacy-concerned hearts. They'll eventually try to do a Salesforce-Slack kind of play here by preventing external entities from monetizing on their platform.
Tech will turn into a casino where the house (aka the platform) always wins.
Yea the data market from discord bots is quite a thing. Really concerning, imo.
One of the things I found surprising is that many of Discord's bot permissions are not scoped to servers at all. I've been asked to authenticate with a bot service for one server numerous times that requests access to things pertaining to all servers I use, and that seems very wrong.
Yup. I ran a bot a long time ago and it was pretty trivial to quietly scrape the entire history of any server it was in.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
spy.pet used user accounts. botghost uses bot accounts, for which you need to enable certain intents in order to read messages.
Tokens got leaked on BotGhost and BotGhost straight up REFUSED to instruct their customers to rotate their keys. I am with Discord, as BotGhost has shown to not be able to securely store keys
> At the same time, I explored how to securely reset all bot tokens.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
I'm pretty sad about this all-around.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
There are lots of details about the technology, license agreements, service history, comparable platforms, and whatnot, which all form reasonable support for botghost.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
And they should treat them like it. Adversarial interoperability is the name of the game now. If they need little robots typing on real phones, so be it.
yup, agreed- worth going over the non tl;dr (sufficient to say the tl;dr misses some good juice, but thats what the page in full is for).
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
- policy from discrap: https://support-dev.discord.com/hc/en-us/articles/8563934450...
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
- policy in 2022 (of that page, but note the random digits in the numbers make it terrible to easily see history), thanks archive.org!: https://web.archive.org/web/20221001073449/https://support-d...
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
> NEITHER DISCORD NOR ITS AFFILIATES, SUPPLIERS, OR DISTRIBUTORS MAKE ANY SPECIFIC PROMISES ABOUT THE APIs, API DATA, DOCUMENTATION, OR ANY DISCORD SERVICES.
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
1 reply →
It's also funny how selective-enforcement the discord TOS and dev policies are -- they turn a blind eye if not even encourage third party/modified first party clients "because retro" / "haha discord on windows 95 funny" (and even encourage it in some cases), yet those modified clients are explicitly banned in the TOS.
1 reply →
> If BotGhost is forced to shut down, your bot will stop working. Your settings, custom commands, custom events, market commands, market events and any work at all hosted on BotGhost will be lost. Because BotGhost does not produce code, there is no way for us to export your bot's configuration.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
What they mean is "the 'no-code' logic for your bot is stored in a proprietary format that's only understood by our software, and we don't want to release our software publicly, nor do we want to document the format."
An end user creates an application in Discord. They create a bot within that application, and Discord generates a token for the bot. They then copy the token into BotGhost, and BotGhost "operates" the bot. The application itself is still owned by the user, and BotGhost has no access to it.
botghost should still theoretically be able to serialize and export the bot's logic
1 reply →
Repeat after me and frame this.
Never build your main business on somebody else's platform.
Always assume that you will get shutdown / rugged when you do so.
Yeah, if you want to pump oil, you better also build your own railways to distribute it, because you won't like what Standard Oil will charge you for their trains.
>Yeah, if you want to pump oil, you better also build your own railways to distribute it
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
3 replies →
That’s actually solid advice. At a certain point it’s cheaper to build your own datacenter than to rent servers…
Unless you're prepared for the business to last an unknown limited amount of time.
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
>Never build your main business on somebody else's platform.
Yep. It’s a lesson that keeps being re-learned the hard way.
I’m sure Uber and DoorDash and Lyft and Tinder and Instagram and WhatsApp are regretting the billions and billions they made doing this.
It’s bad advice.
2 replies →
> Never build your main business on somebody else's platform.
Are there any (profitable) phone apps that are not build on top of the app/play store?
They're distributed through the stores, but not built on top of them, as is evidenced by the fact that you can distribute the same app on both platforms.
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
How are you going to avoid Microsoft, Apple, Google, and AWS? The most common OS, browser, and infra platforms.
You have to build on something, and there's going to be a corporation somewhere in your stack.
These companies charge money for their services and have competitors. AWS’ entire business models is providing developer services, and if I don’t like their offerings I can go elsewhere.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
The problem with building everything without dependencies on other peoples' platforms is that it's a lot of work to build your own chip fabrication machines when you just wanted to sell chat bots.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
Not really possible. If you're using the DNS system or even an internet connection - you're on someone's platform that may want to pull your plug.
Playing devil's advocate a bit, if this service hosts a Discord bot you create for you, that means it uses the bot token, right? The service has to store and secure hundreds of thousands of tokens, if all of those get breached/leaked, an attacker can do a lot to a lot of Discord servers assuming it has the requisite permissions.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
Discord holds user session tokens right? If those tokens are leaked then attackers will have access to Discord user data. Seems like Discord should be shut down.
Hmm, good point, but Discord can't control the security of a third party platform like this.
Not saying it's the right thing to do, but it seems to be their reasoning.
Discord has the plaintext of every single message ever sent via Discord, including all DMs.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
I have not been able to use Discord for years, even when I try hard against my better judgement. It always ends with one of these:
Create new account: all servers stuck in preview mode permanently
Create new account: instantly auto-banned
Create new account: phone-walled immediately
Create new account: banned immediately after providing phone number
Ban appeal: "our automated system is working properly, appeal denied"
Doesn't matter what computer/ISP/OS/browser/etc. I use, the experience is always one of these.
Try using a gmail account.
I'm not able to create one without a phone number, been trying for years.
General PSA: in most situations these things like "terms of service" and "breach notice" have no legal effect. (I am not a lawyer and this is not legal advice)
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
Discord has been against botting personal accounts for a long time. If you want to automate, you make a bot account and ask the server permission to join with it.
Then it's a good thing that's what BotGhost does. Except Discord's saying you're not allowed to do that either now.
If you care so much about the users as you say then you will release the code in a docker image so they can continue using your product.
their target audience does not know what a "docker" is, much less wants to lease a server for hosting
You can teach someone how to rent a vps and run a docker image with one 10-minute youtube video. Then they can use the drag and drop editor and run the bot themselves. If they don’t want to pay for hosting that’s too bad. A vps to run a bot will cost a couple bucks a month.
10 replies →
Oh come on. I'm sure they care about the users, and they were also hoping to build a business. Why the hostility? You don't have to kick them when they are down.
This same story plays out with every monopoly platform e.g. Apple.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
> every monopoly platform
discord ain't a monopoly in any relevant sense of the word
>Discord Is Threatening to Shutdown
I was excited there for a second.
Kind of lame to put competitors on blast.
That wasn't the point of that. I think that's fairly obvious.
Intention or not, that’s what he did.
The biggest problem is that discord has no way to authorize these platforms without the user giving them credentials. It’s really stupid because it would be so easy to fix.
I think that's because Discord doesn't want them to do it this way. I suspect Discord wants BotGhost to operate their own bot with their own credentials, and have users invite the bot to their servers (similar to how many existing bots work). BotGhost could tell which no-code workflows apply based on server and/or channel ID.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
Graph like coding environments like this are a form of code though, so I can definitely see the argument that they just are hosting the users bot for them.
$5 Discord is doing it because they realized they can "clone" the idea and sell it as a subscription service.
>THESE GUYS DO IT TOO
Yup just throw everyone else under the bus.
Sorry for your loss. I too virtually stopped using Discord in favor of, mostly, Reddit (lesser of two evils).
I'm not sure how the two are remotely comparable. I don't go to Reddit for live discussion, voice and video chat, etc.
I used to go to Discord for help, and now I go to Reddit for help.
1 reply →
The lesser of two evils is still evil. Make Forums Great Again!
Agree! I finally set up my own NodeBB forum for my app support and I'm very excited to move in this direction. It was a nicer experience than expected.
Reddit is more evil than Discord IMO - they did this years ago, tried to shut down all bots and unofficial apps, and they heavily manipulate consensus opinion, which Discord doesn't as far as I know.
I can't think of any way to look at this where Reddit is the lesser evil. I respect the position but I don't understand it. Reddit and Twitter reached the floor of enshittification with their respective 2023 actions. Discord and others may follow the precedent and get there, but my usage hasn't been affected yet. The Discord official client, unlike Reddit/Twitter, is still ad-free except for the occasional icon highlighting their "Shop" tab.
> is still ad-free
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
2 replies →
are you sure you know what 'lesser' means? /s
I'm building a lot on discord right now, I like it but I keep getting scared, then I think, eh, irc servers could have gone away too I suppose, in fact they did, much was lost. I'm sure I'm missing a lot of nuanced thinking in this though.
The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature. Sure you might use IRC for chatting and have some bots around that - but typically your long term storage of information would have been handled in something like a forum, website, email list, file repository, etc - so that even if an individual IRC server went down it wasn't a big deal to move along. IRC was/is less a platform and more a protocol.
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
> The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
3 replies →
IRC is decentralized; you can self-host. Discord, despite misusing the term “server”, is one user database and one centralized organization.
You can always run your own IRC server. If Discord shuts down, then you're out of luck.
Indeed. Discord have really nailed the... ircd, if you will, for what I use discord for (community building in non-technical abstract user bases), it's perfect, terrifying, but perfect.
You can run your own Revolt, Mattermost, or Rocket Chat server, which is basically Discord.
3 replies →
I was sympathetic up until the line
> Over 3 million users and bots created
which struck me as thoroughly disingenuous. Surely they know how many users they have, and how many bots have been created. Why conflate the two?
They clearly have the data too. Their home page states ~2M bots and ~1.5M users
There's one thing missing from the "What you can do", although I admit it's a tough call for anyone not located in SF: actually go on the street and physically protest at the office. It's easy to dismiss blog posts, youtube videos or social media shitstorms, we've all grown accustomed to the noise.
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.
It feels to me like Discord is speed-running the developer relations playbook that we've seen happen over a longer timeframe with large platforms like Apple and Google. This is the second high profile incident like this in recent weeks IIRC.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
Discord has a monopoly on access to its users, and so does not need to concern themselves with making it attractive to build there: the users are the draw, not the developer-friendliness of the platform. BotGhost should seek anti-monopoly enforcement; having EU users file the appropriate EU claims to appeal for Discord to be subjected to the DMA would be far more a threat to Discord’s monopoly than user support tickets are likely to persuade them.
Wait, doesn't every company have a monopoly on access to its users? Are we all monopolies?
6 replies →
Has there ever been anything warm and fuzzy about discord?
So it sounds like you just go open source and let people host their own bot
You can already do that. People who want to do that aren't using BotGhost.
I was under the impression that writing a third party client was against TOS, and don't you have to write a client to get your bot to interact with the server?
3 replies →