Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.
UnderpantsWeevil@lemmy.world
on 09 Feb 16:40
nextcollapse
Users who aren’t verified as adults will not be able to access age-restricted servers and channels, won’t be able to speak in Discord’s livestream-like “stage” channels, and will see content filters for any content Discord detects as graphic or sensitive.
Shrug
I’m not using discord for porn, so I’m not going to lose sleep. Will simply live with a “teen” account until my groups migrate to a better service.
But you’ll get my biometrics from my cold dead hands.
They will also get warning prompts for friend requests from potentially unfamiliar users, and DMs from unfamiliar users will be automatically filtered into a separate inbox.
GOOD
Crazy they didn’t implement this years ago. Discord is bloated with fake user spam.
The last point is already implemented, and as someone who regularly has to get DMs from strangers, I have those options off. I guess now I can’t do that.
Usability is good in my opinion. They’ve spent a lot of time on the UI over the past couple years. The mobile Element X apps are excellent now IMO.
But the two things that prevent matrix/Element from being a good discord replacement are:
No Mumble-like voice chat. They have Zoom-like conference calling now, but no voice channels.
Search is either non-existent (mobile clients) or is awful. It’s somehow worse than Discord’s search! I know it’s because the search needs to work on-device because of E2EE, but unfortunately it’s still a minus point vs Discord.
moonpiedumplings@programming.dev
on 10 Feb 03:05
collapse
Honestly, the best solution to 1 may be to simply deploy mumble in addition to matrix (or other chat apps).
Seconding this, just use mumble. It’s self-hosted free and open source software, easy on resources, provides very low latency, and it’s very stable and reliable.
The client might look a little dated but I still love it. I don’t care for stupid electron apps, which every modern application seems to be.
ZombieCyborgFromOuterSpace@piefed.ca
on 10 Feb 02:37
collapse
LOL! That’s so true! Even I have trouble navigating.
EstraDoll@hexbear.net
on 09 Feb 17:10
nextcollapse
in other news: next month i will be attempting to bypass discord’s “AI” powered security features. I expect to overcome them in 4 minutes with a pic of an ID i found on the internet
PleasantPeasant@lemmygrad.ml
on 10 Feb 05:59
collapse
im hoping i can use an ai altered image of stalin or some other communist leader like that lmao
desmosthenes@lemmy.world
on 09 Feb 17:17
nextcollapse
RIP Discord
RotatingParts@lemmy.ml
on 09 Feb 17:22
nextcollapse
I hope for once people would get together and drop Discord so that Discord would have to reverse this policy. So often, we the customers really have the power if we get together and act together. All these social networks are nothing without the contributions of the customers.
As the adage goes, if you’re not paying for it (and often even when you are), you’re not the customer.
Whostosay@sh.itjust.works
on 09 Feb 20:31
collapse
We should append this, …" or it is open source"
tehWrapper@lemmy.world
on 09 Feb 17:24
nextcollapse
However, some users may not have to go through either form of age verification. Discord is also rolling out an age inference model that analyzes metadata like the types of games a user plays, their activity on Discord, and behavioral signals like signs of working hours or the amount of time they spend on Discord.>
do you know if stoat’s ios client good enough? last i tried the android one was also very basic.
mnemonicmonkeys@sh.itjust.works
on 10 Feb 13:19
collapse
I don’t use ios and I don’t know what your standard of “good enough” is.
I’ve tried ouy the android one back when it was named Revolt and I though it was on par with Discord from a few years ago before they added in all the stickers and games, so I thought it was “good enough”
Just try it and see
Postmortal_Pop@lemmy.world
on 09 Feb 17:43
nextcollapse
New to the whole privacy space, what should I start moving my social group to that’s like discord but not doing this?
PleasantPeasant@lemmygrad.ml
on 10 Feb 06:03
collapse
can someone on a server that isnt defederated from lemmy.world send this comment for me?
copied from earlier comment above:
teamspeak (although i dont think they have teamspeak 6 server files available yet?), riot! (now called stoat apparently?), mumble, matrix, and jitsi meet
oh yeah if you’re ok seperating the chat and voice app i really like deltachat for chatting in the group
Mumble (I’ve installed a server a while ago and had no fucking idea how to do anything with it, certainly not to the point where I’d feel confident to invite people to it as a discord alternative)
Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed
MeetMeAtTheMovies@hexbear.net
on 09 Feb 22:39
nextcollapse
Dude my dnd campaign is run on Discord what the fuck. Do I need to start hosting open source voice and video chat?
PleasantPeasant@lemmygrad.ml
on 10 Feb 05:55
collapse
it’s fine as long as you dont have the server marked as 18+
also, supposedly they will be having an ai determine people who are 18+ so you might not even need to upload anything
still, if this leaves too sour of a taste in your mouth the alternatives i can think of off the top of my head are: teamspeak (although i dont think they have teamspeak 6 server files available yet?), riot! (now called stoat apparently?), mumble, matrix, and jitsi meet
oh yeah if you’re ok seperating the chat and voice app i really like deltachat for chatting in the group
hexagonwin@lemmy.today
on 10 Feb 11:53
nextcollapse
Riot renamed to Element.io, Revolt renamed to Stoat.chat
greencoil@lemmy.frozeninferno.xyz
on 10 Feb 13:34
collapse
Teamspeak 6 self hosted servers are in open beta, and is a comparable experience in quality/features to people looking for a Discord replacement. All the open source Discord clones don’t have group screen sharing available yet.
SpaceCrystal@lemmy.ml
on 09 Feb 22:58
nextcollapse
Yeah, you go ahead & do that, & watch how many people will jump ship to other alternatives while you lose a lot of money & subscriptions, especially when you’ve been hacked before.
People have found other alternatives to TikTok, & they’ll do the same with Discord.
We need something like what Lemmy is to Reddir, except for discord. A decentralized application with multiple instances that users can join.
I have a discord server of about ~1K members, and would love to spin up a docker container to host my own instance that users can join. Chat, voice/ video calls, video streaming, etc. I’d love to support a FOSS project like this. Maybe even have E2E while we’re at it!
Closest I can think of is Matrix. Element isn’t bad.
UltraGiGaGigantic@lemmy.ml
on 10 Feb 05:51
collapse
Matrix is the way, and element is the best so far, but it needs more work.
borrowed_atoms@lemmygrad.ml
on 10 Feb 03:17
nextcollapse
Stoat (formerly called Revolt) is potentially that. I tried it a while back and it was still rough around the edges, but the potential was there. Open source and has potential for self hosting.
We left it mostly because there were better services out there + the UI was considered outdated and all. But personally, I’d rather take the outdated UI than have my data stolen.
PleasantPeasant@lemmygrad.ml
on 10 Feb 05:51
collapse
teamspeak 4 felt like it was in the stone age while discord had a bunch of cool ass features for chatting outside of voice. it also was much more appealing to casuals by being free to use and super easy to set up your own server, whereas setting up your own teamspeak server involved portforwarding and whatnot that turns off the vast majority of “normies”
UltraGiGaGigantic@lemmy.ml
on 10 Feb 05:47
nextcollapse
I’m not against age restrictions, but letting every site brew their own method is a really bad idea. I’m not going to upload my legal ID to every random site; that’s a recipe for identity theft, and it’s a really bad idea to teach people that that’s normal or acceptable.
And age guessing through facial recognition is incredibly unreliable. My 16 year old son has already been accepted as 18+ somewhere. I had a full moustache at 14. Others are blessed with a babyface well into their 30s.
The only right way to do this, is if governments provide their citizens with an eID that any site can ask “is this person 18+?” and get an accurate answer without any other identifiable info. And if you don’t want the government to know what sites you visit, have sites route the request through a proxy.
But instead everybody’s got to cobble together their own improvised system that we just have to trust blindly is not going to sell our data.
M1k3y@discuss.tchncs.de
on 10 Feb 21:06
nextcollapse
And if you don’t want the government to know what sites you visit, have sites route the request through a proxy.
Actually, no on the fly communication with the issuer is required for selective disclose.
You just need a signed document with individually salted hashes of different properties and you can create a zero knowledge proof non-interactively. Zero knowledge meaning that truely nothing but the disclosed property (age > 18, County == DE, or whatever) is communicated to anyone.
Theres a lot of other cool stuff that can be done with zero knowledge digital identity wallets. You could for example hash your pubkey together with the service providers pk and disclose that as a per service ID, but not reveal your pk. This allows linkability within one service (as a login method for example) while preventing cross service linkability.
That prevents the site from knowing your identity, but I’m not convinced it prevents the government from knowing you visit the site. The government could keep track of which document corresponds to which individual whenever they issue / sign it.
So if the government mandated that each signed proof of “age>18” was stored by the service and mapped to each account (to validate their proof), then the government could request the service to provide them copy of the proof and then cross-check from their end which particular individual is linked to it.
The reason why it works is a bit complicated, but basically the trick is that the signatures are not immutable. Given a valid signature, it is possible to create a new valid signature over the same content that is not linkable to the original one. This means that it is still possible to derive, what authority signed the document, but the authority cannot know in which transaction it has signed that specific document.
If you have no way to link the signature to the original document, then how do you validate that the signature is coming from a document without repetition / abuse?
How do you ensure there aren’t hundreds of signatures used for different accounts all done by the same stolen eID that might be circulating online without the government realizing it?
Can the government revoke the credentials of a specific individual? …because if they can’t then that looks like a big gap that could create a market of ever-growing stolen eIDs (or reusing eIDs from the deceased) …and if they can revoke, what stops the government from creating a simulation in which they revoke one specific individual and then check what signatures end up being revoked to identify which ones belong to that person? The government can mandate the services to provide them all data they have so it can be analyzed as if they were Issuer, Registry and Verifier, all in one, without separation of powers.
I know there are ways to try and fix this, but those ways have other problems too, which end up forcing the need for a compromise… there’s no algorithm that perfectly provides anonymity and full verifiability with a perfect method of revocation that does not require checks at every user login. For example, with the eIDAS 2.0 system (considered zero-knowledge proof), the government does have knowledge of the “secret serial number” that is used in revocation, so if they collude with the service they can identify people by running some tests on the data.
The anonymous credential signature scheme that is planned to be used is BBS#, I don’t know how it handles revocation.
Additionally, BBS# proposes a solution for device-binding from ECDSA-signatures, relying on re-randomization of ECDSA signatures and public keys. Furthermore, a trust model for BBS# that covers revocation and proof of validity is defined in [BBT2025].
Seems like no ways of enabling privacy preserving revocation with bbs# are known jet. This means that arithmetic circuit based proofs would be the only way to enable revocation. And as they can prove any statement in NP with ZK, the fact that they can prove that a revocation id is not part of a given list is obvious.
github.com/…/ts4-zkp.md#22-proofs-for-arithmetic-…
www.microsoft.com/en-us/research/…/main-51.pdf
As crescent by Microsoft is one of the considered implemations, this paper is probably the most relevant work on revocation of anonymous credentials.
freedickpics@lemmy.ml
on 11 Feb 13:54
nextcollapse
and it’s a really bad idea to teach people that that’s normal or acceptable.
This is a point so few people mention. Normalising having to give up personal information online is such a dangerous thing to do and companies/governments that enforce this shit are setting people up to be scammed
if you don’t want the government to know what sites you visit, have sites route the request through a proxy.
I feel a proxy would not really make much of a difference. If the government keeps a mapping of which eID corresponds to each real person from their end (which they would do if they want to know what sites you visit) then they can simply request the services (and/or intermediaries) to provide account mapping of the eIDs (and they could mandate by law those records are kept, like they often do with ISPs and their IP addresses). The service might not know who that eID belongs to… but the government can know it, if they want.
The government needs to want to protect your privacy. If the government really wants to know what sites you visit, there’s no reason why they would want to provide you with a eID that is truly anonymous at all levels and that isn’t really linked to you, not even in state-owned databases.
Of course, a government has many ways they can legislate your rights, freedom and privacy away. But if you want to do this in a way that preserves privacy, this is how you do it.
Of course the government knows who you are; they have to. They issue your ID, and that makes them the only organisation that can issue your eID. But a government that serves its people would provide this an a service, with the proxy, to ensure privacy is respected.
And of course with a warrant they can and should be able to demand access to the proxy’s or the website’s logs. But only with a warrant. That is the bar that the government should always have to clear before they can get access to any citizen’s privacy.
I agree that a government that wants privacy can actually do it in a way that ensures privacy. That’s also what I was saying.
My point was that this is up to the government, and no amount of “route the request through a proxy” would patch that up, that’s not gonna help this case. Because this is not something that’s tracked in the networking layer, it’s in the application layer.
If the government wants to protect privacy, they can do it without you needing to use proxies, and if the government wants to see what sites you visit using these certificates, they can do it even if you were to use proxies.
If the proxy is independent, I don’t see how the government can know what the requesting site is. They can only see the proxy. I don’t mean a standard network proxy of course, but a proxy for the entire request. That’s probably the source of our misunderstanding.
They don’t need to know the requesting address in order for them to know if it was you the person corresponding to that proof of age, because the information is in the data being exchanged. These kind of verifications don’t depend or rely on IP address or networking, these are credentials that are checked on the application layer.
In fact, they don’t even need to directly communicate with the government for this.
This is equivalent to a registration office for a service asking you provide a paper stamped by the government that certifies your age without the paper actually saying who you are… the service does not need to contact the government if they can trust the stamp in the paper and the government official signature (which in this case is mathematical proof). And even though the service office can’t see your name in the paper, the government knows that the number written in the paper links to you individually, because they can keep record of which particular paper number was issued to which individual, even if your name wasn’t written in the document itself.
So, the government can, at any given time, go to those offices, ask them to hand in the paper corresponding to a particular registration and check the number to see who it belongs to.
The traceability is in the document, not in the manner in which you send it. It does not matter if you send the document to a different country for someone else to send it from a different address, on your behalf (ie. a proxy). If the government can internally cross-reference the registration papers as being the ones linked to your governmental ID, they can know it’s yours regardless of how it reached the offices. So this way they can check if you registered yourself in any particular place they wanna target and what your account is.
Obviously the government knows it’s you. That’s the whole purpose. But they don’t know the site that’s requesting this, if the proxy hides that from them.
They might not know the list of sites you visit right away in the same way they could by contacting your ISP when you are not using a proxy, but that wasn’t my point.
My point is that they can check with a specific site that uses this verification method and see if you have an account on that site, and if you do, which account in particular. And in a way that is much more directly linked to you personally than an IP address (which might be linked to the household/internet access you’re using but that isn’t necessarily under your name).
So in this situation they can indeed know if you use any one particular site that they choose to target, as long as that site is requiring you to provide them with a document, regardless of how many layers of proxies you (or the site) choose to be under.
I’m not sure what you mean by “the site that’s requesting this”, the site does not need to request anything from the government, they just need to have previously agreed on a “secret” mathematical verification method that works for every document. The digital equivalent of a stamp/signature.
But getting that information from the USP or the site would require a warrant. Not to mention that the site doesn’t have to know your real identity either.
And the whole point of this exercise is to ensure that you don’t have to provide any document to the site.
What I mean by the site that’s requesting this, is exactly that: you need to prove to a site that you’re above a certain age. For that, the site redirects you to the proxy that redirects you to the eID site, with a request to confirm that you’re above a certain age.
The site has fulfilled its legal obligation to check your age, but doesn’t have to know your identity, and the government doesn’t have to know what site you’re visiting.
I feel like you’re misunderstanding the scenario we’re discussing.
I feel you are talking about a different thing now. My point was surrounding what you initially said:
The only right way to do this, is if governments provide their citizens with an eID that any site can ask “is this person 18+?” and get an accurate answer without any other identifiable info. And if you don’t want the government to know what sites you visit, have sites route the request through a proxy.
An eID is a digital document. You yourself are proposing that sites should request people to provide a document, one that’s issued by the government to you, personally.
Then later you said that using a proxy prevents the government to know what you visit.
My answer was that if you are providing a government-issued document/file to the service then the government (the issuer) can know if you visit the site just by keeping track of who did they issue each document for and requesting the sites for copies of the documents. Even if the document itself does not say your name. And that’s regardless of how many proxy layers you use, since there’s traceability in the document. This makes you fundamentally less anonymous to the government than before (when you could have indeed used a proxy to prevent this), this makes proxies no longer a good defense.
The service does not know you, but that’s not the point, what you said is that the government can’t know if you visit the site, which is the one thing I disagreed with.
I’m still talking about the same thing, but I understand the nature of our misunderstanding now. You see eID as something you download and can share (but what kind of security would that provide?). I mean an online ID service, similar to the Dutch DigiD. I assume the EU eID is also something similar, although I have no personal experience with that.
An electronic identification (“eID”) is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.
The online authentication is the important part. The article also talks about physical cards with a chip, but I honestly don’t quite understand how that’s different from a regular chip in a passport.
When I have to access any government service, I get redirected to digID to log in, then redirected to the site I want to visit. This is very similar to other online authorisation schemes, except it’s tied to me official legal identity.
My proposal is to use this not just to log in to government sites, but to use it to provide any legally required online identification, tailored to the highest amount of privacy possible in that situation. So if a site needs to confirm you’re 18+, let that site ask the eID service for just your age, or even just whether you’re 18+ or not, log into the eID system, and the eID system sends confirmation of your age back to the site.
Note that “authentication and login” does not necessarily require network communication with a government service. In fact in Europe the eIDs (eIDAS) are digital documents that use cryptography to authenticate without the need of spending resources in a government-funded public API that could be vulnerable to DDOS attacks and would be requiring reliable internet connections for all digital authentication (which might not always be an online operation). The chips are just a secure way to store the digital document and lock under hardware the actual key, making it much harder for it to be copied/replicated, but they don’t require internet connection for making government-certified digital signatures with them that can be used in authentication, this is the same whether the service itself you are login into is online or offline.
In any case, in your example where actual network communication is used, it would still be possible for the government to track you regardless of proxies, because then they can store a log of the data & messages exchanged in the authentication.
They can either ask the sites to authenticate previously with the government for the use of the API (which would make sense to prevent DDOS and other abuse, for example), which would let them know immediately which site you were asking login for (in a much more direct way than with “documents”), or simply provide a token to the site as result of the user authentication (which is a common practice anyway, most authentication systems work through tokens) and later at any given time in the future ask the sites to provide back which tokens are linked to each account on the site (just like I was saying before with the “documents” example) so the government can map each token with each individual person and know which users of that site correspond to which individuals.
DieserTypMatthias@lemmy.ml
on 10 Feb 20:08
collapse
Fractal is not multiplatform (i.e. isn’t available on Android and on iOS) and Matrix can be confusing to people not already familiar with it.
And no, a wall of text explaining what Matrix is won’t help since most of Discord’s users are teenagers with a very short attention span that don’t read much (unless they’re forced to by school).
Potential solution, may be controversial.
Just add a vertical video with Minecraft parkour or with CS surf on the bottom and a half naked woman from a freelance platform explaining what it is.
There are also Element and SchildiChat as alternative clients.
DieserTypMatthias@lemmy.ml
on 10 Feb 20:18
nextcollapse
Does this still require you to ‘call’ people to be in a voice channel? Or is it now similar to discord in that you join a channel and can hear anyone in it?
threaded - newest
.
Considering the recent “third-party” data breach cases…
More info for those unfamiliar:
Finally my chance to quit?
Idk
I’m never doing this. I’ll pay someone else to verify my account before I upload my dox with these assholes.
I’m fine switching to an alternative, but I have seen no gaming companies linking anything else for their official “forums”
Minecraft.wiki links to Zulip…
I don’t trust discord with what little I formation I’ve gave them so far. Definitely not giving them my ID or a scan of my face.
But they pinky promise the face scan is not facial recognition and that it’s immediately deleted and never leaves your device.
matrix and zulip are interesting alternatives
Uhhhh no thanks. Bye.
Damn guess I’m not using Discord anymore
Shrug
I’m not using discord for porn, so I’m not going to lose sleep. Will simply live with a “teen” account until my groups migrate to a better service.
But you’ll get my biometrics from my cold dead hands.
GOOD
Crazy they didn’t implement this years ago. Discord is bloated with fake user spam.
it’s easy to see how they’ll manipulate this to make you think that their pro-zionist bots are actual people.
That last part should just be a feature of any account.
So I get a free spam filter for not verifying? Guess I’m never verifying then, lol.
My initial thought too. Good. At least until they catch on and make some excuse for needing “teens” IDs too.
The last point is already implemented, and as someone who regularly has to get DMs from strangers, I have those options off. I guess now I can’t do that.
Revolt! your time has come (though it has been renamed to Stoat; a name I very much dislike.
<img alt="" src="https://lemmy.blahaj.zone/pictrs/image/c4f39bbc-c2c4-45e6-ae87-157ac484606b.webp">
You made the poor little guy sad. :(
I apologize :(
The stoat forgives, and acknowledges that the game is not great, lol
Limited Linux support (no repo or flatpak pkgs, not even aur) and tbh im not so sure how long they will continue to exist
First open source android app I’ve seen that requires Google Play Store.
tbh. I wasn’t aware of this. So far I only used it in the browser
isn’t it just a webapp? should be trivial to package as a ‘standalone program’
There is an unofficial aur pkg but still my point stands
If that is true then that is much better than revolt because that kind of name will make the majority of people roll their eyes and pass it up.
So while it hard to get your friends to join a different platform imagine how much harder it would be to get them to join “revolt”. Its super edgy
Well, I guess that 95% of all non-native speakers don’t know what a stoat is. So it is much harder to connect to/remember it.
Goodbye Discord.
Hello Matrix!
Matrix isn’t that good from an usability standpoint as it looks a lot like IRC
Usability is good in my opinion. They’ve spent a lot of time on the UI over the past couple years. The mobile Element X apps are excellent now IMO. But the two things that prevent matrix/Element from being a good discord replacement are:
Honestly, the best solution to 1 may be to simply deploy mumble in addition to matrix (or other chat apps).
Seconding this, just use mumble. It’s self-hosted free and open source software, easy on resources, provides very low latency, and it’s very stable and reliable.
The client might look a little dated but I still love it. I don’t care for stupid electron apps, which every modern application seems to be.
LOL! That’s so true! Even I have trouble navigating.
in other news: next month i will be attempting to bypass discord’s “AI” powered security features. I expect to overcome them in 4 minutes with a pic of an ID i found on the internet
Use one from Musk
im hoping i can use an ai altered image of stalin or some other communist leader like that lmao
RIP Discord
I hope for once people would get together and drop Discord so that Discord would have to reverse this policy. So often, we the customers really have the power if we get together and act together. All these social networks are nothing without the contributions of the customers.
Without the contributions of the product.
As the adage goes, if you’re not paying for it (and often even when you are), you’re not the customer.
We should append this, …" or it is open source"
that’s probably not much better though. nothing good will come from discord scanning and judging everything we say on it.
Does there exist an alternative that has both a desktop (WIN/Linux) client and a phone (android/iphone) client?
Matrix
XMPP, Conversations is a Nice Android client.
Matrix and Stoat
do you know if stoat’s ios client good enough? last i tried the android one was also very basic.
I don’t use ios and I don’t know what your standard of “good enough” is.
I’ve tried ouy the android one back when it was named Revolt and I though it was on par with Discord from a few years ago before they added in all the stickers and games, so I thought it was “good enough”
Just try it and see
New to the whole privacy space, what should I start moving my social group to that’s like discord but not doing this?
can someone on a server that isnt defederated from lemmy.world send this comment for me?
copied from earlier comment above: teamspeak (although i dont think they have teamspeak 6 server files available yet?), riot! (now called stoat apparently?), mumble, matrix, and jitsi meet
oh yeah if you’re ok seperating the chat and voice app i really like deltachat for chatting in the group
Deleted 👍🏻
gonna fire up good ol’ roger wilco for voice chat I guess
retvrn to teamspeak
we’d probably be better off with a federated/foss alternative.
Mumble (I’ve installed a server a while ago and had no fucking idea how to do anything with it, certainly not to the point where I’d feel confident to invite people to it as a discord alternative)
they don’t have screen sharing :/
Lol, no thanks. I deleted this trash years ago and wish companies would stop using it for tech and customer support. “Join our discord channel!” - no.
Same here.
discord.com/…/update-on-security-incident-involvi…
Dude my dnd campaign is run on Discord what the fuck. Do I need to start hosting open source voice and video chat?
it’s fine as long as you dont have the server marked as 18+
also, supposedly they will be having an ai determine people who are 18+ so you might not even need to upload anything
still, if this leaves too sour of a taste in your mouth the alternatives i can think of off the top of my head are: teamspeak (although i dont think they have teamspeak 6 server files available yet?), riot! (now called stoat apparently?), mumble, matrix, and jitsi meet
oh yeah if you’re ok seperating the chat and voice app i really like deltachat for chatting in the group
Riot renamed to Element.io, Revolt renamed to Stoat.chat
Teamspeak 6 self hosted servers are in open beta, and is a comparable experience in quality/features to people looking for a Discord replacement. All the open source Discord clones don’t have group screen sharing available yet.
Yeah, you go ahead & do that, & watch how many people will jump ship to other alternatives while you lose a lot of money & subscriptions, especially when you’ve been hacked before.
People have found other alternatives to TikTok, & they’ll do the same with Discord.
i wouldn’t be so optimistic. normies have a tendency to accept quite a lot.
I mean, you’re not wrong, but have you seen what those alternatives were?
is there a practical way to delete all your messages at once?
undiscord is good.
personally i’d also backup the messages before deleting, this works well github.com/Tyrrrz/DiscordChatExporter
We need something like what Lemmy is to Reddir, except for discord. A decentralized application with multiple instances that users can join.
I have a discord server of about ~1K members, and would love to spin up a docker container to host my own instance that users can join. Chat, voice/ video calls, video streaming, etc. I’d love to support a FOSS project like this. Maybe even have E2E while we’re at it!
Closest I can think of is Matrix. Element isn’t bad.
Matrix is the way, and element is the best so far, but it needs more work.
Stoat (formerly called Revolt) is potentially that. I tried it a while back and it was still rough around the edges, but the potential was there. Open source and has potential for self hosting.
Stoat.chat
Clickable link for anyone curious:
stoat.chat
Good old Teamspeak. Everyone can host his own server.
Well this is horrid. Must we really all go back to TeamSpeak?
Why did we leave it?
We left it mostly because there were better services out there + the UI was considered outdated and all. But personally, I’d rather take the outdated UI than have my data stolen.
teamspeak 4 felt like it was in the stone age while discord had a bunch of cool ass features for chatting outside of voice. it also was much more appealing to casuals by being free to use and super easy to set up your own server, whereas setting up your own teamspeak server involved portforwarding and whatnot that turns off the vast majority of “normies”
Its Joever
Discord is kill
Still a no for me for now, but a bit misleading: discord.com/…/discord-launches-teen-by-default-se…
That’s a no go from here…
I’m not against age restrictions, but letting every site brew their own method is a really bad idea. I’m not going to upload my legal ID to every random site; that’s a recipe for identity theft, and it’s a really bad idea to teach people that that’s normal or acceptable.
And age guessing through facial recognition is incredibly unreliable. My 16 year old son has already been accepted as 18+ somewhere. I had a full moustache at 14. Others are blessed with a babyface well into their 30s.
The only right way to do this, is if governments provide their citizens with an eID that any site can ask “is this person 18+?” and get an accurate answer without any other identifiable info. And if you don’t want the government to know what sites you visit, have sites route the request through a proxy.
But instead everybody’s got to cobble together their own improvised system that we just have to trust blindly is not going to sell our data.
Actually, no on the fly communication with the issuer is required for selective disclose. You just need a signed document with individually salted hashes of different properties and you can create a zero knowledge proof non-interactively. Zero knowledge meaning that truely nothing but the disclosed property (age > 18, County == DE, or whatever) is communicated to anyone.
Theres a lot of other cool stuff that can be done with zero knowledge digital identity wallets. You could for example hash your pubkey together with the service providers pk and disclose that as a per service ID, but not reveal your pk. This allows linkability within one service (as a login method for example) while preventing cross service linkability.
That prevents the site from knowing your identity, but I’m not convinced it prevents the government from knowing you visit the site. The government could keep track of which document corresponds to which individual whenever they issue / sign it.
So if the government mandated that each signed proof of “age>18” was stored by the service and mapped to each account (to validate their proof), then the government could request the service to provide them copy of the proof and then cross-check from their end which particular individual is linked to it.
The reason why it works is a bit complicated, but basically the trick is that the signatures are not immutable. Given a valid signature, it is possible to create a new valid signature over the same content that is not linkable to the original one. This means that it is still possible to derive, what authority signed the document, but the authority cannot know in which transaction it has signed that specific document.
If you have no way to link the signature to the original document, then how do you validate that the signature is coming from a document without repetition / abuse?
How do you ensure there aren’t hundreds of signatures used for different accounts all done by the same stolen eID that might be circulating online without the government realizing it?
Can the government revoke the credentials of a specific individual? …because if they can’t then that looks like a big gap that could create a market of ever-growing stolen eIDs (or reusing eIDs from the deceased) …and if they can revoke, what stops the government from creating a simulation in which they revoke one specific individual and then check what signatures end up being revoked to identify which ones belong to that person? The government can mandate the services to provide them all data they have so it can be analyzed as if they were Issuer, Registry and Verifier, all in one, without separation of powers.
I know there are ways to try and fix this, but those ways have other problems too, which end up forcing the need for a compromise… there’s no algorithm that perfectly provides anonymity and full verifiability with a perfect method of revocation that does not require checks at every user login. For example, with the eIDAS 2.0 system (considered zero-knowledge proof), the government does have knowledge of the “secret serial number” that is used in revocation, so if they collude with the service they can identify people by running some tests on the data.
The anonymous credential signature scheme that is planned to be used is BBS#, I don’t know how it handles revocation.
github.com/…/ts4-zkp.md
I haven’t found where in that source the implementation of revocation is discussed.
Edit: github.com/…/Trust-model-privacy-on-attestation-p…
Seems like no ways of enabling privacy preserving revocation with bbs# are known jet. This means that arithmetic circuit based proofs would be the only way to enable revocation. And as they can prove any statement in NP with ZK, the fact that they can prove that a revocation id is not part of a given list is obvious. github.com/…/ts4-zkp.md#22-proofs-for-arithmetic-…
www.microsoft.com/en-us/research/…/main-51.pdf As crescent by Microsoft is one of the considered implemations, this paper is probably the most relevant work on revocation of anonymous credentials.
This is a point so few people mention. Normalising having to give up personal information online is such a dangerous thing to do and companies/governments that enforce this shit are setting people up to be scammed
I feel a proxy would not really make much of a difference. If the government keeps a mapping of which eID corresponds to each real person from their end (which they would do if they want to know what sites you visit) then they can simply request the services (and/or intermediaries) to provide account mapping of the eIDs (and they could mandate by law those records are kept, like they often do with ISPs and their IP addresses). The service might not know who that eID belongs to… but the government can know it, if they want.
The government needs to want to protect your privacy. If the government really wants to know what sites you visit, there’s no reason why they would want to provide you with a eID that is truly anonymous at all levels and that isn’t really linked to you, not even in state-owned databases.
Of course, a government has many ways they can legislate your rights, freedom and privacy away. But if you want to do this in a way that preserves privacy, this is how you do it.
Of course the government knows who you are; they have to. They issue your ID, and that makes them the only organisation that can issue your eID. But a government that serves its people would provide this an a service, with the proxy, to ensure privacy is respected.
And of course with a warrant they can and should be able to demand access to the proxy’s or the website’s logs. But only with a warrant. That is the bar that the government should always have to clear before they can get access to any citizen’s privacy.
I agree that a government that wants privacy can actually do it in a way that ensures privacy. That’s also what I was saying.
My point was that this is up to the government, and no amount of “route the request through a proxy” would patch that up, that’s not gonna help this case. Because this is not something that’s tracked in the networking layer, it’s in the application layer.
If the government wants to protect privacy, they can do it without you needing to use proxies, and if the government wants to see what sites you visit using these certificates, they can do it even if you were to use proxies.
If the proxy is independent, I don’t see how the government can know what the requesting site is. They can only see the proxy. I don’t mean a standard network proxy of course, but a proxy for the entire request. That’s probably the source of our misunderstanding.
They don’t need to know the requesting address in order for them to know if it was you the person corresponding to that proof of age, because the information is in the data being exchanged. These kind of verifications don’t depend or rely on IP address or networking, these are credentials that are checked on the application layer.
In fact, they don’t even need to directly communicate with the government for this.
This is equivalent to a registration office for a service asking you provide a paper stamped by the government that certifies your age without the paper actually saying who you are… the service does not need to contact the government if they can trust the stamp in the paper and the government official signature (which in this case is mathematical proof). And even though the service office can’t see your name in the paper, the government knows that the number written in the paper links to you individually, because they can keep record of which particular paper number was issued to which individual, even if your name wasn’t written in the document itself.
So, the government can, at any given time, go to those offices, ask them to hand in the paper corresponding to a particular registration and check the number to see who it belongs to.
The traceability is in the document, not in the manner in which you send it. It does not matter if you send the document to a different country for someone else to send it from a different address, on your behalf (ie. a proxy). If the government can internally cross-reference the registration papers as being the ones linked to your governmental ID, they can know it’s yours regardless of how it reached the offices. So this way they can check if you registered yourself in any particular place they wanna target and what your account is.
Obviously the government knows it’s you. That’s the whole purpose. But they don’t know the site that’s requesting this, if the proxy hides that from them.
They might not know the list of sites you visit right away in the same way they could by contacting your ISP when you are not using a proxy, but that wasn’t my point.
My point is that they can check with a specific site that uses this verification method and see if you have an account on that site, and if you do, which account in particular. And in a way that is much more directly linked to you personally than an IP address (which might be linked to the household/internet access you’re using but that isn’t necessarily under your name).
So in this situation they can indeed know if you use any one particular site that they choose to target, as long as that site is requiring you to provide them with a document, regardless of how many layers of proxies you (or the site) choose to be under.
I’m not sure what you mean by “the site that’s requesting this”, the site does not need to request anything from the government, they just need to have previously agreed on a “secret” mathematical verification method that works for every document. The digital equivalent of a stamp/signature.
But getting that information from the USP or the site would require a warrant. Not to mention that the site doesn’t have to know your real identity either.
And the whole point of this exercise is to ensure that you don’t have to provide any document to the site.
What I mean by the site that’s requesting this, is exactly that: you need to prove to a site that you’re above a certain age. For that, the site redirects you to the proxy that redirects you to the eID site, with a request to confirm that you’re above a certain age.
The site has fulfilled its legal obligation to check your age, but doesn’t have to know your identity, and the government doesn’t have to know what site you’re visiting.
I feel like you’re misunderstanding the scenario we’re discussing.
I feel you are talking about a different thing now. My point was surrounding what you initially said:
An eID is a digital document. You yourself are proposing that sites should request people to provide a document, one that’s issued by the government to you, personally. Then later you said that using a proxy prevents the government to know what you visit.
My answer was that if you are providing a government-issued document/file to the service then the government (the issuer) can know if you visit the site just by keeping track of who did they issue each document for and requesting the sites for copies of the documents. Even if the document itself does not say your name. And that’s regardless of how many proxy layers you use, since there’s traceability in the document. This makes you fundamentally less anonymous to the government than before (when you could have indeed used a proxy to prevent this), this makes proxies no longer a good defense.
The service does not know you, but that’s not the point, what you said is that the government can’t know if you visit the site, which is the one thing I disagreed with.
I’m still talking about the same thing, but I understand the nature of our misunderstanding now. You see eID as something you download and can share (but what kind of security would that provide?). I mean an online ID service, similar to the Dutch DigiD. I assume the EU eID is also something similar, although I have no personal experience with that.
The first paragraph on Wikipedia contains a good description of what I’m talking about: en.wikipedia.org/wiki/Electronic_identification
The online authentication is the important part. The article also talks about physical cards with a chip, but I honestly don’t quite understand how that’s different from a regular chip in a passport.
When I have to access any government service, I get redirected to digID to log in, then redirected to the site I want to visit. This is very similar to other online authorisation schemes, except it’s tied to me official legal identity.
My proposal is to use this not just to log in to government sites, but to use it to provide any legally required online identification, tailored to the highest amount of privacy possible in that situation. So if a site needs to confirm you’re 18+, let that site ask the eID service for just your age, or even just whether you’re 18+ or not, log into the eID system, and the eID system sends confirmation of your age back to the site.
Oh, I see the misunderstadning.
Note that “authentication and login” does not necessarily require network communication with a government service. In fact in Europe the eIDs (eIDAS) are digital documents that use cryptography to authenticate without the need of spending resources in a government-funded public API that could be vulnerable to DDOS attacks and would be requiring reliable internet connections for all digital authentication (which might not always be an online operation). The chips are just a secure way to store the digital document and lock under hardware the actual key, making it much harder for it to be copied/replicated, but they don’t require internet connection for making government-certified digital signatures with them that can be used in authentication, this is the same whether the service itself you are login into is online or offline.
In any case, in your example where actual network communication is used, it would still be possible for the government to track you regardless of proxies, because then they can store a log of the data & messages exchanged in the authentication.
They can either ask the sites to authenticate previously with the government for the use of the API (which would make sense to prevent DDOS and other abuse, for example), which would let them know immediately which site you were asking login for (in a much more direct way than with “documents”), or simply provide a token to the site as result of the user authentication (which is a common practice anyway, most authentication systems work through tokens) and later at any given time in the future ask the sites to provide back which tokens are linked to each account on the site (just like I was saying before with the “documents” example) so the government can map each token with each individual person and know which users of that site correspond to which individuals.
Best thing you can do with discord? Uninstall it.
MSN Messenger for the win!
The same as Discord (IRC with a fancy GUI) but with the fact your data is unconsentionally sent to an intelligence agency for analysis.
What about Fractal? It even have a flatpak gitlab.gnome.org/World/fractal
Fractal is not multiplatform (i.e. isn’t available on Android and on iOS) and Matrix can be confusing to people not already familiar with it.
And no, a wall of text explaining what Matrix is won’t help since most of Discord’s users are teenagers with a very short attention span that don’t read much (unless they’re forced to by school).
Potential solution, may be controversial.
Just add a vertical video with Minecraft parkour or with CS surf on the bottom and a half naked woman from a freelance platform explaining what it is.
There are also Element and SchildiChat as alternative clients.
Well, time to dump Discord after I finish school.
Like I mentioned in a similar post, please look at this alternative: stoat.chat
Seams cool, but why not matrix since matrix has different instances you can chose from.
forgot to add that one, my other post did include Matrix as well :)
Does this still require you to ‘call’ people to be in a voice channel? Or is it now similar to discord in that you join a channel and can hear anyone in it?
Have not used this so I can’t speak to their viability, but there’s also @root
can somebody screenshot the article i cant read it