Let's Reverse Engineer Discord(medium.com) |
Let's Reverse Engineer Discord(medium.com) |
Edit: Yep, I thought I remembered reading this. Their voice servers are WebRTC SFUs. So this is basically state-of-the-art when it comes to voice over WebRTC. End to end encryption in WebRTC is not possible if you are using a SFU. https://blog.discordapp.com/how-discord-handles-two-and-half...
[1]. https://www.callstats.io/blog/2018/06/01/examining-srtp-doub...
> SFU stands for Selective Forwarding Unit.
> At times, the term is used to describe a type of video routing device, while at other times it will be used to indicate the support of routing technology and not a specific device.
> An SFU is capable of receiving multiple media streams and then decide which of these media streams should be sent to which participants.
This is true for all WebRTC implementations/services. They all state having end-to-end encryption but dont tell you that it means something different in WebRTC contexts.
PERC will solve this one day, but its sadly just a draft: https://webrtcglossary.com/perc/
1) to improve audio quality.
2) to help prevent RCE attacks on the destination client.
3) re-encoding at lower bitrates for low bandwidth clients.
I don't really see the issue here unless Discord claimed they do not decrypt the audio.
They tried to create a small competitor to Steam's game marketplace but it didn't work out. They're back to the drawing table. Honestly, that's actually really good for free users, like myself, because we can simply use discord's wide array of functionalities for free: Seamless audio and video sharing, wide extensibility of the platform through APIs and bots, simple file-sharing, chat persistency, mobile clients + web client, ability to pick server location, codecs, moderation tools...and the best feature in my opinion...their amazing changelogs popups.
Honestly security wise it might not be very clear, as per this article, where they stand today, I am still super stoked about every other aspect.
Unless Discord claimed they were P2P encrypted this shouldn't be a witch hunt. It's the default behavior for most WebRTC systems.
The clients establish (encrypted) connections to the SFU(s). The SFU then reads incoming data and forwards it to whichever other clients are supposed to be receiving it. However, they maintain state per client and possibly do things like transcoding audio and video if the receiving client can't handle the source quality.
This proves parsing or filtering is happening on Discord's end to the decrypted message.
> We tested this malformed audio packet dispatch at various points during a voice call and consistently watched all malformed audio packets dropped by the server, which means that Discord servers are actively decrypting and inspecting all audio/video communications in real-time and not just some.
1. Applying a censor to voice depending on server/user DM configuration. I know they've got some kind of OCR that tries to identify and block offensive words contained in images, such as the N word, when people are not friends and at least one side hasn't changed the “safe direct messaging” option down to “I live on the edge”. 2. Store records at least temporarily for law enforcement.
And the obvious other things are keeping for post-processing and derive user interests for advertising, or batching and forwarding the information to intelligence agencies.
It's hard to tell, realy.
Is it really too much to ask for/expect a modicum of decency with these services?
In an ongoing effort to better understand and serve the users of the Services, we may conduct research on our customer demographics, interests and behavior based on the information collected. This research may be compiled and analyzed on an aggregate basis, and we may share this aggregate data with our affiliates, agents and business partners. We may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
For example, they could do sentiment analysis on corporate chat, track it over time, and see which companies show patterns indicating trouble. Then they could short the stock, buy put options, or suggest to their "current and prospective business partners" that low-ball acquisition offer would be appropriate.
Do you know if there are plans to support Discord-style persistent voice rooms?
I often experience cuts with skype and discord, I think their servers can have a hard time handling low latency properly.
That is one of two reasons why Microsoft switched to server-client model instead of p2p connection.
Other being having control of the service and with call and message history makes more money of course.
You can read the story at: https://arstechnica.com/information-technology/2018/09/skype...
>For the second time, Zennström and Friis cashed in on selling Skype. That's because, instead of giving eBay the critical base technology that kept Skype going (the P2P system known as "Global Index"), Zennström's and Friis's company Joltid still owned it—they simply licensed it to Skype. The whole situation devolved into threats of litigation until a 2009 settlement gave Zennström and Friis a chunk of Skype ownership, which made them even more money when Microsoft bought the company.
from their ToS:
"Any data, text, graphics, photographs and their selection and arrangement, and any other materials uploaded to the Service by you is “Your Content.”"
"By uploading, distributing, transmitting or otherwise using Your Content with the Service, you grant to us a perpetual, nonexclusive, transferable, royalty-free, sublicensable, and worldwide license to use, host, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, and display Your Content in connection with operating and providing the Service"
Maybe an audio engineer or cryptographer could chime in?
Bots are able to send whatever bitrate they want to the channel, and other clients received as is.
The server simply relay opus data without re-encode it.
Where? All I see is setting bitrates on channels, but not on the client/app as a whole.
https://www.reddit.com/r/discordapp/comments/8nzb5d/why_is_d...
As a remote worker on an almost entirely remote team, we would benefit from a sort of voice channel huddle on-demand or even just watercooler chatting. There is something more casual about jumping into a premade voice channel where people may already be chatting than starting a Webex or initiating a Slack call that could introduce more "togetherness".
Something with this functionality was on my list when we were evaluating SaaS for our team and I really wanted something similar to Discord.
Of course no one would go for it as its branded, but having a forked version that doesn't bear any resemblance should be doable with minimum work.
Exactly this. I'd likely pay for a corporate branded Discord software that was named different and didn't use my personal Discord ID.
Discord needs to capitalize on its greatest asset: a massive community. To me, the obvious path forward is doing Patreon like features for servers and perhaps trying to break into the streaming market.
Their idea of patrons is boosting servers for perks which is sort of similar but the price of boosting is far higher than Patreon sponsorship and there's no way afaik for servers to customise what the booster gets as reward (the whole server gets the reward)
It might also be possible they're trying to build critical mass to get bought by some gaming company. Perhaps Amazon for Twitch integration? MS in some bold attempt to buy a userbase for their PC game store?
Due to the fact that I'm on one for work, Slack is already earning more off me than Discord is but they still want more. It makes it impossible for me to like them. Discord having lower friction for joining multiple small servers is a plus here too, because it means I'm not stuck joining a big poorly-moderated community just to chat with a small group of friends.
It's not game-changing but I also think things like 'high quality group video calling', 'screen sharing', and 'high quality group audio calls' are perfectly reasonable things for Discord to sell. IIRC some stuff like that is currently gated behind Nitro. The ability to use emotes cross-server is also quite popular so I see many people buying Nitro just for that. I personally have a small Discord server for my family and I use it for my personal collection of cross-server emotes.
Now try to understand why the average person cares even less.
Gmail has excellent reliability, deliverability, & spam filtering. On the other hand Google gets to read all my email. Naturally then, I use Gmail for somethings- not for others.
Otherwise people with good networks who have their call quality dragged down will just think Discords voice chat is bad.
[1] Discord Announcement https://blog.discordapp.com/the-discord-store-beta-9a35596fd...
[2] Epic Announcement https://www.unrealengine.com/en-US/blog/announcing-the-epic-...
In all fairness, though, the recent releases of Slack made it pretty snappy.
This is a really neat idea though. Truncating the packet to change the bitrate per client without re-encoding.
[1]: https://en.wikipedia.org/wiki/Bitrate_peeling
[2]: https://wiki.xiph.org/index.php?title=Bounties&diff=196&oldi...
GOG is a rather niche store with a strategy contrary to Epic Games (in fact, there is this popular item on a functionality wishlist: https://www.gog.com/wishlist/site/do_not_get_bought_by_epic_...). For most customers, GOG is a secondary store mostly due to its DRM policy which I don't see a chance of Epic Games keeping if they were to purchase the store (if anything, due to Fortnite). GOG isn't really profitable currently, but selling it to Epic Games of all companies would risk PR and could cause skilled developers to leave CD Projekt. It wouldn't make sense for both Epic Games and CD Project.
Meanwhile, Humble Store does pretty well, and I don't think IGN is interested in selling it.
I haven't met anyone who is using discord as an alternative for WhatsApp, Telegram, etc., from my experience, discord is mainly used for on-topic discussions rather than private communications.
And as other comments suggest, there are legitimate reasons why discord might want to decrypt the communications on their end. Plus, I have never seen any claims by discord to be p2p encrypted.
There's more to choosing enterprise software than just the features and reliability. My guess is that Skype was included for free in an existing Microsoft contract (Windows 10 PC's, or Office), whereas discord would require an entirely new contract.
Sounds like you just manufactured a bunch of problems for yourself with no benefit. Talk about an enterprise state of mind.
I think Teams is much closer to a Slack ripoff than a Discord ripoff.
This notion also does not translate very well to things which are not related to IT. I use a very large number of things in my daily life which I am not paying for but I still expect them to work and be safe. Or would be it be fine if I take an elevator and it falls down and kills me? Or whoops, I got a free candy which turned out to contain toxins. I guess I didn't pay for the service so why do I have some expectations for it to work or be safe?
Those things are paid for by someone who is expressively giving you rights to those goods/services. Just because Method Gaming is paying for their discord server so you can enjoy your free service, doesn't mean they are necessarily aware that you are using their paid-for server resources. OTOH, if I am renting an apartment from a building (which I pay for) and someone comes to visit me in the elevator, I expect that the elevator cost I pay for through my rent is safe enough for you travel in.
> guess I didn't pay for the service so why do I have some expectations for it to work or be safe?
Safe != privacy. The issue is not necessarily security (although there is an implication there as well), but more so it's privacy.
It doesn’t seem fair to burn Discord at the stake for a feature they never claimed to provide.
If you want to argue that Discords measure in this case are fair then I'm fine with that, but just something like "STFU the service is free" is not enough when it comes to these companies with massive impact on society, IMO at least.
Edit: After thinking about this a bit more, I guess the point is that if they are just dropping (potentially) malicious data, or in your case not letting a gorilla through the door. This does not have anything to do with the service being free as far as I can see, they can be argued for independently.
Instead I see people defending questionable behavior by pointing out that the service is free. And the point I tried to make originally was that I would like to at least be informed about the questionable behavior, so I have a chance to take this extra "cost" into account when I select a product.
You can say that about almost anything.
The question is: is it possible today where it has an impact today in actual browsers today.
Future technology does not matter when there is no implementation
You can just admit you googled it and didn’t realize it was not something you can do today in browsers, it’s ok :)
We simply cannot expect something to be had for free without making money to support the service. Unfortunately, one way to monentize the service is to sell user data.