I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
rozab
Seems like this is it. They should have got Discord to revoke all the potentially affected tokens. Instead, they tried to hide it and Discord forced their hand.
I really dislike the way they try and play this down in the doc:
The video is linked in the article, amongst the response, timeline and further fixed exploits.
But it is correct that the article does not reiterate the technical details of the exploit.
x0x0
Maybe uncharitable, but it seems like BotGhost comprehensively doesn't take security seriously. Not only were there bad vulnerabilities, but they didn't have the logging (or didn't use it) to see who was affected; didn't want to roll keys; didn't want to announce; and didn't even have their own bots use their own security features. So yeah. I'm a bit more sympathetic if Discord decided that BotGhost in particular wasn't going to be using Discord's platform any more. Because I'd guess the probability these are the last of BotGhost's serious vulnerabilities to be about 0%.
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
immibis
That logging you want (every command and response) would have been a huge GDPR violation.
I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?
x0x0
You do not understand GDPR at all. Both performance of contract and legitimate interests cover security issues and associated logging.
czk
I've often thought about the amount of data that these bot services must have access to (they could log millions of private channels), data thats silo'd away from search engines/indexers and could be pretty valuable to sell to someone training an AI model, or doing other things.
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
paxys
After Reddit's API shutdown the writing was on the wall. Services like Reddit and Discord are huge data troves, and now this data has a concrete $$ value. Offering unrestricted API access means that third parties will store and sell this data. So shutting them down (and monetizing your data yourself) is an obvious decision. Slack recently changed its ToS to disallow this as well - https://www.reuters.com/business/salesforce-blocks-ai-rivals....
gizmo686
Discord locked down the ability of bots to read message contents back in 2022. For bots used in over 100 servers, doing so now requires explicit approval from Discord (in addition to the standard approval the server owner would need to give). For most bots, the rest of the bot API is rich enough for this to not be an issue.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
HWR_14
To read message archives or to read messages in realtime? Because I was working on a sideproject that required monitoring the messages in a channel, not just slash commands.
gizmo686
Read messages in realtime.
HWR_14
At least I know now before I put more effort into it. Thank you for the warning.
czk
this is good to know! thank you for the info
cedws
Some of them are absolutely up to dodgy stuff, they have access to countless private chats in servers where the users/admins are unaware messages are being sent to a third party. I wouldn’t be surprised if some of these bots are ran by state actors.
haneul
Yea the data market from discord bots is quite a thing. Really concerning, imo.
areyourllySorry
spy.pet used user accounts. botghost uses bot accounts, for which you need to enable certain intents in order to read messages.
fakedang
This isn't Discord doing this out of the goodness of their privacy-concerned hearts. They'll eventually try to do a Salesforce-Slack kind of play here by preventing external entities from monetizing on their platform.
Tech will turn into a casino where the house (aka the platform) always wins.
mystified5016
Yup. I ran a bot a long time ago and it was pretty trivial to quietly scrape the entire history of any server it was in.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
ocdtrekkie
One of the things I found surprising is that many of Discord's bot permissions are not scoped to servers at all. I've been asked to authenticate with a bot service for one server numerous times that requests access to things pertaining to all servers I use, and that seems very wrong.
bunbun69
Tokens got leaked on BotGhost and BotGhost straight up REFUSED to instruct their customers to rotate their keys. I am with Discord, as BotGhost has shown to not be able to securely store keys
lysp
> At the same time, I explored how to securely reset all bot tokens.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
RainyDayTmrw
I'm pretty sad about this all-around.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
throwaway7679
There are lots of details about the technology, license agreements, service history, comparable platforms, and whatnot, which all form reasonable support for botghost.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
immibis
And they should treat them like it. Adversarial interoperability is the name of the game now. If they need little robots typing on real phones, so be it.
out-of-ideas
yup, agreed- worth going over the non tl;dr (sufficient to say the tl;dr misses some good juice, but thats what the page in full is for).
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
kotaKat
It's also funny how selective-enforcement the discord TOS and dev policies are -- they turn a blind eye if not even encourage third party/modified first party clients "because retro" / "haha discord on windows 95 funny" (and even encourage it in some cases), yet those modified clients are explicitly banned in the TOS.
immibis
Every business does this. Every business. Every institution, even.
Rules are there for a few reasons, but precisely enumerating the things you can and cannot do isn't one of them. (That's why programmers definitely shouldn't litigate pro se.)
One purpose is to try to indemnify the institution making the rules: "See, we said you're not allowed to do X. Damages resulting from X aren't our fault." Another purpose is to deter bad behaviour: if they say you're not allowed to do X, you're less likely to do X. A third purpose is to provide cover for their actions - most easily by writing a rule that literally everyone breaks and then selectively enforcing it, or by writing vague rules you can selectively interpret. If they can punish you and then point to a rule you allegedly broke, you're more likely to accept it and less likely to retaliate. Notice how all of these purposes have to do with manipulating other people. (Are you reminded of any countries?)
You should do it too, if you want to be successful in an amoral business environment. Don't hate the player, hate the game.
Unless your customers pay extra for well-defined rules to create a stable environment for themselves. In that case, you should do that, and take their money. That sort of thing is, for example, why some people would rather pay more for a technically inferior Fairphone or Librem than a flagship Android phone or iPhone.
throwaway7679
> NEITHER DISCORD NOR ITS AFFILIATES, SUPPLIERS, OR DISTRIBUTORS MAKE ANY SPECIFIC PROMISES ABOUT THE APIs, API DATA, DOCUMENTATION, OR ANY DISCORD SERVICES.
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
out-of-ideas
> Their policy is simply that they do whatever they want, and that hasn't changed.
yup! and don't forget they can change their policy whenever they want too
> If BotGhost is forced to shut down, your bot will stop working. Your settings, custom commands, custom events, market commands, market events and any work at all hosted on BotGhost will be lost. Because BotGhost does not produce code, there is no way for us to export your bot's configuration.
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
teraflop
What they mean is "the 'no-code' logic for your bot is stored in a proprietary format that's only understood by our software, and we don't want to release our software publicly, nor do we want to document the format."
paxys
An end user creates an application in Discord. They create a bot within that application, and Discord generates a token for the bot. They then copy the token into BotGhost, and BotGhost "operates" the bot. The application itself is still owned by the user, and BotGhost has no access to it.
markasoftware
botghost should still theoretically be able to serialize and export the bot's logic
lsaferite
They could export a DSL that captures the workflow at least.
Banditoz
Playing devil's advocate a bit, if this service hosts a Discord bot you create for you, that means it uses the bot token, right? The service has to store and secure hundreds of thousands of tokens, if all of those get breached/leaked, an attacker can do a lot to a lot of Discord servers assuming it has the requisite permissions.
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
paxys
Discord holds user session tokens right? If those tokens are leaked then attackers will have access to Discord user data. Seems like Discord should be shut down.
Banditoz
Hmm, good point, but Discord can't control the security of a third party platform like this.
Not saying it's the right thing to do, but it seems to be their reasoning.
sneak
Discord has the plaintext of every single message ever sent via Discord, including all DMs.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
mslansn
If you care so much about the users as you say then you will release the code in a docker image so they can continue using your product.
areyourllySorry
their target audience does not know what a "docker" is, much less wants to lease a server for hosting
mslansn
You can teach someone how to rent a vps and run a docker image with one 10-minute youtube video. Then they can use the drag and drop editor and run the bot themselves. If they don’t want to pay for hosting that’s too bad. A vps to run a bot will cost a couple bucks a month.
JadoJodo
*You can teach ~someone~ a very technical user how to …
I get the non-techie blindspot that all of us have in some form or another. With that in mind: it took three days to give my brother a crash course in Linux + Docker for his own home server (and even then he only knew the very basics). He’s fairly proficient in tech: builds his own desktops, knows the basics of code, doesn’t shy away from digging into the why, etc.
It would be unrealistic (and frankly irresponsible) to expect someone to setup _and understand_ a Docker server setup from a 10-minute video.
swyx
yes but also once you let that happen there will be thousands of discord servers holding tokens, with no security updates...
koakuma-chan
It's actually pretty hard to install Docker... Add Docker official GPG key... Install a bunch of crap...
Oh come on. I'm sure they care about the users, and they were also hoping to build a business. Why the hostility? You don't have to kick them when they are down.
apt-apt-apt-apt
This same story plays out with every monopoly platform e.g. Apple.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
meepmorp
> every monopoly platform
discord ain't a monopoly in any relevant sense of the word
colesantiago
Repeat after me and frame this.
Never build your main business on somebody else's platform.
Always assume that you will get shutdown / rugged when you do so.
like_any_other
Yeah, if you want to pump oil, you better also build your own railways to distribute it, because you won't like what Standard Oil will charge you for their trains.
macspoofing
>Yeah, if you want to pump oil, you better also build your own railways to distribute it
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
like_any_other
I'm not being facetious, I'm pointing out a real problem - the market fraction accessible to a new business, that isn't reliant on the good will of some giant incumbent, is shrinking. This time it's Discord, another time it's Google ads/search blacklist, or Microsoft flagging your website or program as malicious, or Facebook shadowbanning you (or charging to show your posts even to people who explicitly followed you [1]), or Walmart extorting you for shelf space access, VISA and PayPal rejecting you..
If your move is to simply retreat, and give up all this ground, what market is left for you? People who get their news and ads by paper mail, shop only at tiny independent stores, paying in cash? How many businesses can survive with ~5% (a generous estimate of the described market's relative size) of their current traffic?
And it's bigger than software. This is just vertical integration; both your suppliers and your customers will ask if they can replace you. As they should. If your only value is as a middleman that your upstream supplier can easily replace... well, that's not a lot of value.
fnimick
You're hardly safe on operating system platforms either. Look at the long history of Apple sherlocking independent vendors.
shreddit
That’s actually solid advice. At a certain point it’s cheaper to build your own datacenter than to rent servers…
macspoofing
>Never build your main business on somebody else's platform.
Yep. It’s a lesson that keeps being re-learned the hard way.
sneak
I’m sure Uber and DoorDash and Lyft and Tinder and Instagram and WhatsApp are regretting the billions and billions they made doing this.
It’s bad advice.
macspoofing
>I’m sure Uber and DoorDash and Lyft and Tinder and Instagram and WhatsApp are regretting the billions and billions they made doing this.
I'm not sure which platforms those companies built their businesses on .. are you equating build an app on iOS or Android with building an app that relies on, say, Facebook APIs and only works on Facebook?
sneak
Without the App Store and Play Store, Uber and Instagram and WhatsApp can’t exist.
When Uber came out and for years afterward, there were no location APIs in mobile browsers.
When Instagram came out, there was no way to access the camera or photos in web apps.
Mashimo
> Never build your main business on somebody else's platform.
Are there any (profitable) phone apps that are not build on top of the app/play store?
Crestwave
They're distributed through the stores, but not built on top of them, as is evidenced by the fact that you can distribute the same app on both platforms.
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
lordnacho
How are you going to avoid Microsoft, Apple, Google, and AWS? The most common OS, browser, and infra platforms.
You have to build on something, and there's going to be a corporation somewhere in your stack.
adesanmi
These companies charge money for their services and have competitors. AWS’ entire business models is providing developer services, and if I don’t like their offerings I can go elsewhere.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
toast0
The problem with building everything without dependencies on other peoples' platforms is that it's a lot of work to build your own chip fabrication machines when you just wanted to sell chat bots.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
immibis
Unless you're prepared for the business to last an unknown limited amount of time.
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
almosthere
Not really possible. If you're using the DNS system or even an internet connection - you're on someone's platform that may want to pull your plug.
encom
>Discord Is Threatening to Shutdown
I was excited there for a second.
merb
The biggest problem is that discord has no way to authorize these platforms without the user giving them credentials. It’s really stupid because it would be so easy to fix.
everforward
I think that's because Discord doesn't want them to do it this way. I suspect Discord wants BotGhost to operate their own bot with their own credentials, and have users invite the bot to their servers (similar to how many existing bots work). BotGhost could tell which no-code workflows apply based on server and/or channel ID.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
anfilt
Graph like coding environments like this are a form of code though, so I can definitely see the argument that they just are hosting the users bot for them.
ranger_danger
I have not been able to use Discord for years, even when I try hard against my better judgement. It always ends with one of these:
Create new account: all servers stuck in preview mode permanently
Create new account: instantly auto-banned
Create new account: phone-walled immediately
Create new account: banned immediately after providing phone number
Ban appeal: "our automated system is working properly, appeal denied"
Doesn't matter what computer/ISP/OS/browser/etc. I use, the experience is always one of these.
BeFlatXIII
Try using a gmail account.
ranger_danger
I'm not able to create one without a phone number, been trying for years.
linotype
Kind of lame to put competitors on blast.
junon
That wasn't the point of that. I think that's fairly obvious.
Bluescreenbuddy
>THESE GUYS DO IT TOO
Yup just throw everyone else under the bus.
immibis
General PSA: in most situations these things like "terms of service" and "breach notice" have no legal effect. (I am not a lawyer and this is not legal advice)
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
literalAardvark
Discord has been against botting personal accounts for a long time. If you want to automate, you make a bot account and ask the server permission to join with it.
immibis
Then it's a good thing that's what BotGhost does. Except Discord's saying you're not allowed to do that either now.
delfinom
$5 Discord is doing it because they realized they can "clone" the idea and sell it as a subscription service.
koakuma-chan
Sorry for your loss. I too virtually stopped using Discord in favor of, mostly, Reddit (lesser of two evils).
zapzupnz
I'm not sure how the two are remotely comparable. I don't go to Reddit for live discussion, voice and video chat, etc.
koakuma-chan
I used to go to Discord for help, and now I go to Reddit for help.
zapzupnz
That makes sense.
anonym29
The lesser of two evils is still evil. Make Forums Great Again!
gagik_co
Agree! I finally set up my own NodeBB forum for my app support and I'm very excited to move in this direction. It was a nicer experience than expected.
immibis
Reddit is more evil than Discord IMO - they did this years ago, tried to shut down all bots and unofficial apps, and they heavily manipulate consensus opinion, which Discord doesn't as far as I know.
add-sub-mul-div
I can't think of any way to look at this where Reddit is the lesser evil. I respect the position but I don't understand it. Reddit and Twitter reached the floor of enshittification with their respective 2023 actions. Discord and others may follow the precedent and get there, but my usage hasn't been affected yet. The Discord official client, unlike Reddit/Twitter, is still ad-free except for the occasional icon highlighting their "Shop" tab.
koakuma-chan
> is still ad-free
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
hatsix
That's the individual server, not a standard Discord policy. Subreddits can also make gates that are exclusionary. So... not Discord the company.
Even if it was, "Requires a verified phone number" is not "Evil". You might not like it, it might be incomprehensible, it might be exclusionary, but it's not "Evil".
koakuma-chan
It’s a discord issue if individual servers are incentivised to require a verified phone number.
glonq
are you sure you know what 'lesser' means?
/s
neom
I'm building a lot on discord right now, I like it but I keep getting scared, then I think, eh, irc servers could have gone away too I suppose, in fact they did, much was lost. I'm sure I'm missing a lot of nuanced thinking in this though.
monkeywork
The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature. Sure you might use IRC for chatting and have some bots around that - but typically your long term storage of information would have been handled in something like a forum, website, email list, file repository, etc - so that even if an individual IRC server went down it wasn't a big deal to move along. IRC was/is less a platform and more a protocol.
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
mschuster91
> The massive nuance you are missing is that IRC had a default expectation of being ephemeral in nature.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
MiscIdeaMaker99
We definitely had bots on IRC in the 90s.
LambdaComplex
You can always run your own IRC server. If Discord shuts down, then you're out of luck.
neom
Indeed. Discord have really nailed the... ircd, if you will, for what I use discord for (community building in non-technical abstract user bases), it's perfect, terrifying, but perfect.
immibis
You can run your own Revolt, Mattermost, or Rocket Chat server, which is basically Discord.
johnisgood
and Zulip. But they do not support video and audio calls, for one.
sneak
If you believe this you haven’t used Discord very much.
Nextgrid
You are right, neither of his proposed alternatives start you out with a sea of blinking shit and distractions all over your screen.
sneak
IRC is decentralized; you can self-host. Discord, despite misusing the term “server”, is one user database and one centralized organization.
robinhouston
I was sympathetic up until the line
> Over 3 million users and bots created
which struck me as thoroughly disingenuous. Surely they know how many users they have, and how many bots have been created. Why conflate the two?
superb_dev
They clearly have the data too. Their home page states ~2M bots and ~1.5M users
pnw
It feels to me like Discord is speed-running the developer relations playbook that we've seen happen over a longer timeframe with large platforms like Apple and Google. This is the second high profile incident like this in recent weeks IIRC.
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
altairprime
Discord has a monopoly on access to its users, and so does not need to concern themselves with making it attractive to build there: the users are the draw, not the developer-friendliness of the platform. BotGhost should seek anti-monopoly enforcement; having EU users file the appropriate EU claims to appeal for Discord to be subjected to the DMA would be far more a threat to Discord’s monopoly than user support tickets are likely to persuade them.
brookst
Wait, doesn't every company have a monopoly on access to its users? Are we all monopolies?
altairprime
No? LinkedIn lost a lawsuit about prohibiting third parties tools from accessing its site, Matrix has strong interop, Elite Dangerous offers OAuth API for sign-in and player data download, and so on. There are others but that’s sixty seconds worth of thinking about it.
Mastodon metastasized the user store but each site is still a tiny centralized user store. That’s how user stores work. Doesn’t mean they’re automatically monopolistic.
Discord’s taking the Reddit-Apollo approach to forcing them offline — half-assed conversations for months followed by an abrupt fuck-you moment with little recourse — which given Discord’s free of charge growth mechanism, means that — just like Reddit — they’re likely going to shutdown anything by that’s providing a valuable service to a significant fraction of their users, either to Sherlock and charge money for it, or simply to terminate what they view as an obstruction.
brookst
So my small app that had maybe 50k users at peak never allowed third party integrations. How is that not a monopoly by this definition? Would it have been more or less of a monopoly if I had allowed third party integrations?
Has there ever been anything warm and fuzzy about discord?
mschuster91
There's one thing missing from the "What you can do", although I admit it's a tough call for anyone not located in SF: actually go on the street and physically protest at the office. It's easy to dismiss blog posts, youtube videos or social media shitstorms, we've all grown accustomed to the noise.
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.
almosthere
So it sounds like you just go open source and let people host their own bot
immibis
You can already do that. People who want to do that aren't using BotGhost.
nubinetwork
I was under the impression that writing a third party client was against TOS, and don't you have to write a client to get your bot to interact with the server?
junon
No. Discord has an official and formalized bot API.
The breach in question is documented here: https://youtube.com/watch?v=lUiLBBab1RY
I don’t think there’s a text write-up, but tl;dw a combination of missing input sanitization and no-code UI trickery made it possible to leak other users’ bot tokens, and despite patching the exploit pretty quickly on exposure, BotGhost’s developer tried to cover it up and refused to reset potentially affected tokens.
I really dislike the way they try and play this down in the doc:
https://update.botghost.com/#-summary-of-the-breaches-
But it is correct that the article does not reiterate the technical details of the exploit.
So now botghost is doing a pentest. But I dunno... my guess at the likelihood of doing a good job backfilling security into a codebase that wasn't built with that as a core concern is also low.
I suppose they could have logged only if a bot token was detected in output. But if you'd think to do that, then why not also just block the output?
A while back there was a service called 'Spy Pet' that ran hundreds of discord bots selling access to searchable data logs. I wonder if discord is primarily concerned about the massive logging capability of services like these.
That cuts out a lot of the value for LLM training; and will reduce the blast radius if Discord ever decides to fully pull the plug on message access.
Tech will turn into a casino where the house (aka the platform) always wins.
I only ever did this on my own server for good reason, but still.
Really a bot doesn't have any more access than a user does. You as a user can manually scroll back through the entire server history, you can check on roles, and you can see the names of channels that are hidden from you.
But it becomes a problem when bots are doing this at scale and selling the resulting data. Sort of like some other bots that people like to argue are doing the same thing a human could.
> Unfortunately, the only method currently offered by Discord involves committing them to a public GitHub repo, which is not a viable or secure option.
For whatever it's worth, I actually think this dev is understating the impact of their security issues. They had 2 token leaks - albeit conditional and with prerequisites. Given the sorts of tokens that a user has to supply to use this sort of generic app builder, this is pretty serious.
That said, I think inconsistent enforcement, when it favors them, is a really bad look on Discord. It totally looks like they're doing cover-their-ass, whack-a-mole, public relations-driven enforcement.
None of that matters in the slightest. They're dealing with an indifferent, capricious, unaccountable company. And trying to do it without enough leverage to even get a response.
It seems like it's about to end the way it was always going to.
i was sorta curious on the policy changes over time, since botghost has been around since '18. all i can say is good luck to botgost
histories of policies-ish:
- from the tl;dr (they also explain #4 as well in the non-tl;dr):
> Discord issued a breach notice to BotGhost, claiming the platform violates Developer Policy 4 by handling bot tokens, which has been a core part of how BotGhost has worked since 2018.
- policy from discrap: https://support-dev.discord.com/hc/en-us/articles/8563934450...
> 4. Do not collect, solicit, or deceive users into providing passwords or other credentials. Under no circumstances may you or your Application request or attempt to obtain login credentials from Discord users. This includes information such as passwords or account access or login tokens.
- policy in 2022 (of that page, but note the random digits in the numbers make it terrible to easily see history), thanks archive.org!: https://web.archive.org/web/20221001073449/https://support-d...
> Do not collect, solicit, or deceive users into providing user login credentials. Under no circumstances may you or your Application solicit, obtain, or request login credentials from Discord users in any way. This includes information such as passwords or user access or login tokens.
- and archive.org of github of the before 2022 change (mentioned in the above archive) (does not really mention collecting of user auths - as per my quick glance [i welcome a double check]): https://web.archive.org/web/20220921062136/https://github.co...
edit: fix copy-pasta
Rules are there for a few reasons, but precisely enumerating the things you can and cannot do isn't one of them. (That's why programmers definitely shouldn't litigate pro se.)
One purpose is to try to indemnify the institution making the rules: "See, we said you're not allowed to do X. Damages resulting from X aren't our fault." Another purpose is to deter bad behaviour: if they say you're not allowed to do X, you're less likely to do X. A third purpose is to provide cover for their actions - most easily by writing a rule that literally everyone breaks and then selectively enforcing it, or by writing vague rules you can selectively interpret. If they can punish you and then point to a rule you allegedly broke, you're more likely to accept it and less likely to retaliate. Notice how all of these purposes have to do with manipulating other people. (Are you reminded of any countries?)
You should do it too, if you want to be successful in an amoral business environment. Don't hate the player, hate the game.
Unless your customers pay extra for well-defined rules to create a stable environment for themselves. In that case, you should do that, and take their money. That sort of thing is, for example, why some people would rather pay more for a technically inferior Fairphone or Librem than a flagship Android phone or iPhone.
The existence of terms like this make any discussion of the other terms look pretty silly.
Their policy is simply that they do whatever they want, and that hasn't changed.
yup! and don't forget they can change their policy whenever they want too
also they rank D on this site: https://tosdr.org/en/service/536
> BotGhost cannot export bot configurations due to its no-code structure. If shutdown happens, all bots and user data will be permanently lost.
I don't think I understand this part - what does the "no-code" mean in this context? How can this data not be stored somewhere for the service to function at all? Does this mean that BotGhost also has no backups, and a technical glitch could cause a similar problem?
However, they do claim that Mee6 (the biggest Discord bot by # of servers, iirc) offers a similar feature but Discord is letting them slide?
Not saying it's the right thing to do, but it seems to be their reasoning.
Can you imagine the value to LLM companies?
It’s probably the single largest collection of sexting content outside of WeChat (and Apple’s archive of iCloud Backups that contain all of the iMessages).
I get the non-techie blindspot that all of us have in some form or another. With that in mind: it took three days to give my brother a crash course in Linux + Docker for his own home server (and even then he only knew the very basics). He’s fairly proficient in tech: builds his own desktops, knows the basics of code, doesn’t shy away from digging into the why, etc.
It would be unrealistic (and frankly irresponsible) to expect someone to setup _and understand_ a Docker server setup from a 10-minute video.
Basically, you are likely in competition with something they are making, or are otherwise bad for business. The specific policy violation they choose doesn't matter– you are getting dicked down because they want it to be so.
discord ain't a monopoly in any relevant sense of the word
Never build your main business on somebody else's platform.
Always assume that you will get shutdown / rugged when you do so.
You're being facetious, but OP is right. For software platforms, this has been a constant. It happened with Twitter, Facebook, Google (Search/Ads, Maps, Chat), Reddit, LinkedIn - basically ever major software platform started off with relatively open APIs that were then closed-off as it gained critical mass and focused on monetization.
If your move is to simply retreat, and give up all this ground, what market is left for you? People who get their news and ads by paper mail, shop only at tiny independent stores, paying in cash? How many businesses can survive with ~5% (a generous estimate of the described market's relative size) of their current traffic?
[1] https://www.bentbusinessmarketing.com/why-your-fans-arent-se...
Yep. It’s a lesson that keeps being re-learned the hard way.
It’s bad advice.
I'm not sure which platforms those companies built their businesses on .. are you equating build an app on iOS or Android with building an app that relies on, say, Facebook APIs and only works on Facebook?
When Uber came out and for years afterward, there were no location APIs in mobile browsers.
When Instagram came out, there was no way to access the camera or photos in web apps.
Are there any (profitable) phone apps that are not build on top of the app/play store?
Android also supports third party stores/standalone installers and iOS is fighting an ongoing legal battle due to its lack of a permanent equivalent.
You have to build on something, and there's going to be a corporation somewhere in your stack.
Discord, Twitter, Reddit, etc. that have become hostile to third parties have free APIs to reel in developers to make their platform more attractive to users, and once they’ve reached critical mass, they turn around and fuck over those developers. This is because their primary business model is serving their users, and developers eventually “get in the way”.
So the person you’re replying to should add an addendum: never build your app/business on top of third parties IF their primary business models aren’t providing services to developers.
Chat bots on your own hosted platform which has no users isn't something people will want to buy. I mean, some people will want to buy it for click to chat on their websites or something. But if there's a market for chat bots in general spaces, you have to address that market where people are chatting, which is Discord, apparently.
Pretty much every business is built on shaky foundations. If you never built business on shaky foundations, you'd never do anything at all. You needed an IBM-compatible PC to use Windows! You need a web browser to use Hacker News. Y Combinator is only meaningful as long as dollars are worth something.
If you make a business that runs on IBM PCs, make a few billion dollars, then 10 years later IBM rugpulls the PC line and sues everyone who copied it... was there really a "lesson" that needed "learning" or did you simply succeed at business and make a few billion dollars?
I was excited there for a second.
I think Discord has a fair argument that if BotGhost "writes the code" (read: translates workflows to actual execution), and BotGhost operates the bot, then really it's BotGhost's bot and they should own the bot and have it be visible to users as their bot.
Create new account: all servers stuck in preview mode permanently
Create new account: instantly auto-banned
Create new account: phone-walled immediately
Create new account: banned immediately after providing phone number
Ban appeal: "our automated system is working properly, appeal denied"
Doesn't matter what computer/ISP/OS/browser/etc. I use, the experience is always one of these.
Yup just throw everyone else under the bus.
What they do is the same as a "cease and desist": they warn you that Discord might consider suing you or might try to ban you by technical means.
It's all about business, not what the terms say. If Discord thinks BotGhost is good for Discord's bottom line, they'll let it exist. If they think it's bad, they'll stop letting it exist. I haven't the slightest clue why Discord now thinks BotGhost is bad for Discord's bottom line, but it's probably got something to do with legibility (in the Seeing Like A State sense) to investors for their IPO. Or they're working on a competitor internally.
I use an adblock, so I don't see any ads on Reddit.
> I can't think of any way to look at this where Reddit is the lesser evil.
Reddit is the lesser evil for my personal use case because more and more Discord servers require a verified phone number to send messages. I can't get help if I can't send a message.
Even if it was, "Requires a verified phone number" is not "Evil". You might not like it, it might be incomprehensible, it might be exclusionary, but it's not "Evil".
Discord on the other hand does everything IRC does but people have made it take the place of forums, blogs, file repos, etc etc. All this information is locked up in a platform that can't be searched or often even accessed without signing up for the platform. Unlike IRC however Discord is not a protocol that others can tie into - it's a platform and they can/do actively lock people out of it.
Bouncers and log bots have been a thing even 20 years ago when I was active on Freenode. In fact, a bouncer and log bot was what made me get my very first own VPS... time flies. It lasted a year until my first attempt at a libc upgrade failed, that was a lot of work to fix.
> Over 3 million users and bots created
which struck me as thoroughly disingenuous. Surely they know how many users they have, and how many bots have been created. Why conflate the two?
What's even stranger to me is that Discord was putting on a full-court press to get developers onto their platform over the last twelve months. This kind of response is certainly not going to help make devs feel all warm and fuzzy about continuing to build on Discord.
Mastodon metastasized the user store but each site is still a tiny centralized user store. That’s how user stores work. Doesn’t mean they’re automatically monopolistic.
Discord’s taking the Reddit-Apollo approach to forcing them offline — half-assed conversations for months followed by an abrupt fuck-you moment with little recourse — which given Discord’s free of charge growth mechanism, means that — just like Reddit — they’re likely going to shutdown anything by that’s providing a valuable service to a significant fraction of their users, either to Sherlock and charge money for it, or simply to terminate what they view as an obstruction.
But it's hard to ignore actual people on the street in front of your office calling out your bullshit. In addition, it gives nice pictures for the press, and that's the only thing investors actually fear.