I'm guessing the British Indian Ocean Territory doesn't have a lot of administrators to handle trademark claims. According to Wikipedia, "the only inhabitants are British and United States military personnel, and associated contractors, who collectively number around 3,000 (2018 figures)."
Darn that global Internet, allowing people to use unauthorized chat clients with impunity!
There are other ways to shut down a third-party service, from sending a cease and desist letter for trademark infringement to server-side blocking of access to their API.
A sense of discord washes over me as I eat an apple in front of a computer running XWindows. A lesson about using a common English words as a trademark becomes apparent in my mind.
>Darn that global Internet, allowing people to use unauthorized chat clients with impunity!
The problem here is that people are chosing to use Disord despite the fact that it is so stupidly proprietary. If Discord actually enforced it's rules all the time there'd have been far fewer teamspeak/irc/mumble/etc people lured into it's walled garden. It is a literal bait and switch.
So it's important to point out a large fraction of the ways people do use Discord are actually very much against the TOS and could be prosecuted under the CFAA as felonies if Discord corporate thought they were rocking the boat and decided to buy a district attorney. It's the worst of both worlds.
> people are chosing to use Disord despite the fact that it is so stupidly proprietary
This has zero relevance to normal users. Does teamspeak/irc/mumble/etc even support live streaming with screen+audio capture to a group chat? That's a pretty basic feature in 2023. I'm not aware of any serious open source competitors in this space
.io domain is officially administrated out of the UK and is own by Ethos Capital, a private equity firm out of the US. Surely both the American and/or UK courts would be valid avenues for enforcement.
It was primarily a way for non-partner servers to have permanent, readable invite links before these became available officially (by paying users boosting a server). It wasn't actually a third party interface that recreated the discord client or anything (unless that's a recent development).
Probably most, considering it's Discord's logo and screenshots of their app used in the article, and discord.io isn't loading with 522 errors right now so you can't exactly check.
It's definitely not just me but I only have a data point of one to use: Anytime I see something that isn't .com, .org, or .gov I immediately assume it's less than reputable at best and actively trying to scam/phish me at worst.
It had been that companies that “made” it would eventually pick up the .com. But it seems like it is more common to stick with whatever TLD they had before.
As an American I don't trust most things with a .us TLD. I wouldn't trust another country's TLD, either. But like I said originally -- this is just me. I'm sure others feel like I do but I am not trying to speak for them.
You can, of course, treat domains however you like, but it would be unfortunate to extend your approach worldwide. In many, many other countries the local domain is a strong signal of trust, often more so than a .com/.org.
Thinking through websites I use in Denmark, I struggle to recall one that isn't .dk.
Supermarkets (netto.dk, foetex.dk), public transport (dsb.dk, m.dk, cph.dk), newspapers/TV (politiken.dk, berlingske.dk, dr.dk), University (ku.dk, au.dk), local government (kk.dk), other retailers (computersalg.dk, proshop.dk, elgiganten.dk) ...
The largest grocery delivery company uses nemlig.com, and Ikea uses ikea.com.
As another example, if I'm applying online for a visa to Thailand, that site had better end .th.
.io has been used as a sort of general-purpose tld to signal sort of… I dunno, hip, dev-focused sites, right? It is at least slightly less novel than gg.
Agree, but it’s important to point out that .gg grew popular in the gaming crowd because “gg” in gaming means “good game”. It’s used in-game in the chat by many players of online multiplayer games as a way of thanking each other after a match. It can be used sincerely or it can also be used sarcastically but in the latter case you’d typically say “ggez” as a taunt implying that the win was easy (“ez”) because you are more skilled than your opposing team.
And for .io of course that one is/was popular among tech companies because it looks similar to “I/O” (input/output).
Maybe the lazy dog should get a part-time job like rescuing people in the Alps while carrying a little barrel of liquor or barking at people with drugs, money or fruit at the airport.
Yeah, he has his own separate account and a video channel.
This way both my partner and I can check up on him if we both leave the house for longer and it's noisy outside. He's a rescue and sometimes gets anxious/loud, but he's getting better.
Side effect: once I came home to spot him with my brothers who live across the continent chatting and drinking beer.
That’s an excellent idea for rescues. I’m going to pass a link to your comment to a couple of friends who are heavily involved in animal rescues - it sounds like an excellent way to help dogs through trauma! Thanks so much for sharing!
Your last paragraph gave me a funny mental image of your dog sitting in front of a monitor, beer in paw, chatting with your brothers! :)
Getting a custom URL for a Discord server (e.g. discord.gg/hackernews) requires 14 "server boosts" which cost $35/year each, so nearly $500/year. There's a discount if you have their premium Nitro package, but even then it's something on the order of $300.
Meanwhile discord.io is free and you won't lose your URL to a crypto scam server when someone forgets to renew their boost. Kind of inevitable that such a service would pop up.
And this is exactly why companies protect their trademarks. A site called discord.io which offered services on top of Discord but wasn't affiliated with it in any way (but tricked users into believing so by using its logo and screenshots) should have been nipped in the bud a long time ago.
Try to register a company called Apple that builds iPhone apps and you will find out pretty quick how well a sector-specific trademark can be enforced.
A long time ago I registered windowsupdate.ms and put a small timeline there about the technological advancements we've made to windows over time— from holes in the wall, to grease paper, to bullet proof glass.
And then when we go and search in USPTO we can see the registrations they have for the name “Discord”
For example they have
> Word Mark DISCORD
> Goods and Services IC 045. US 100 101. G & S: Social networking services in the field of gaming. FIRST USE: 20181000. FIRST USE IN COMMERCE: 20181000
> Goods and Services IC 041. US 100 101 107. G & S: online game services, namely, providing on-line computer games; organizing community cultural events; organizing community sporting events, organizing educational seminars, workshops, and conferences in the field of communications, online gaming, online communities and social media; providing non-downloadable webinars in the field of communications, online gaming, online communities and social media
> IC 042. US 100 101. G & S: rental of computer game programs and computer game software; online game services, namely, providing temporary use of online non-downloadable game software; providing computer game subscription-based temporary use of non-downloadable game software
And they have another few as well probably. Didn’t read all of them.
With this Discord can protect themselves and their reputation within their own verticals.
Other people can still have a decent chance of being able to register a trademark for an unrelated product or service named “Discord”, as long as it is noticeably unrelated to the existing marks.
So for example maybe I could start a theatre and get a trademark named “Discord” accepted for my theatre.
Apparently, this sort of thing happened to Mr. Beast with regards to Mr. Beast Burger. Even though his agreements/contracts forbade the company making the virtual restaurant supplies from doing so, that company trademarked his likeness and brand in half a dozen foreign countries. He's currently suing them for damages, and for not paying him the agreed amount for his participation. (Apparently, they had paid him $0!)
(Don't read if you don't want spoilers. Exit Through the Gift Shop is phenomenal and should be watched without knowing about this guy. Watch it, then read the Wikipedia article for yet another surprise.)
should be no different than any other franchisee. If you are worried about them ruining your reputation then you should QC them with secret shoppers, inspectors, etc.
Not really anything super wrong with it, other than perhaps it would be harder to air grievances with them because there’s usually nowhere to go, and QC issues.
“Ghost Kitchens” have a more nefarious connotation than “delivery only” though because often it will be a single kitchen yet be advertised as many distinct restaurants. I saw one in one major city that was something like fifteen “different restaurants” operating from the same small space, which is sketchy.
But I think the person to whom you’re responding was relying more on the word “thousands” here. So given the connotation I think opening thousands of these things is pretty sketchy for some random YouTube personality with presumably no experience with restaurants to be opening simultaneously.
He created the idea at the beginning of the pandemic. His thought process was that the Mr Beast brand would allow smaller stores to carry his product and incentivise people to buy take out from those shops and help during lockdowns.
I don't believe the contract between him and VDC is out outlining the contractual obligations, SLAs, trademark and marketing issues etc.
This is going to get harder unless the US government or US tech companies censor the Internet to block ones that don't follow US affiliated trademark law. Which I hope you wouldn't support.
Thankfully I never used this website exactly because I feared this.
There was a link to join a discord server via Discord.io that showed as a top Google result.
I clicked it not even aware it was 3rd party. Thankfully OAuth gave me the friendly confirmation page saying "You are about to connect with this third party service and grant full access to your account."
I said WTF? NO
Shame on the Discord legal team and their executive team for completely lacking diligence on this.
If Discord.io was using OAuth then this would largely be a non-issue as those tokens could be invalidated or revoked, by Discord, trivially. And they wouldn't have any password data, hashed or otherwise.
Granted, I don't use discord.io , so maybe I'm missing something.
> Salted and hashed passwords (mainly concerning users prior to 2018 when Discord.io began exclusively using Discord for logins)
So it sounds like they used to have their own accounts before integrating via Discord OAuth, and some users may be affected by this. Unsure if they didn't delete users' hashed PWs once they migrated to the OAuth flow or something like that.
Based on the screenshot it would seem they do have hashed passwords, specifically it looks like bcrypt hashes with a cost factor of 8. Not sure why the cost would be so low, or indeed why the hashes are available at all.
If Discord was allowing this website to run for so long using this brand, don't they risk losing the trademark because of the dilution due to non-enforcement ?
Yes. Trademark law says the use of a trademark as a trademark is an issue. Using the discord logo to link to a discord channel is fine. Allowing a site to be named Discord with a different TLD is using a trademark as a trademark and that can have consequences. The whole point of trademark is to distinguish goods/services and by failing to prevent the use of discord.io they kinda dropping the ball here in my opinion.
No, it’s still trademark infringement. Especially since it relates to the same product. It would be different if they were unrelated but this is about as bad as infringement and brand confusion can get. Any competent legal OR marketing team would have sent them a C&D ages ago.
> The circumstances under which a company could actually lose a trademark—such as abandonment and genericide—are quite limited. Genericide occurs when a trademark becomes the standard term for a type of good (‘zipper’ and ‘escalator’ being two famous examples). This is very rare and would not be a problem for Canonical unless people start saying “Ubuntu” simply to mean “operating system.” Courts also set a very high bar to show abandonment (usually years of total non-use). Importantly, failure to enforce a mark against every potential infringer does not show abandonment.
Normally I think it's lame when a product-for-a-product (there's probably a better term) has to abide by stringent branding guidelines to not look official. e.g. when third-party reddit clients (RIP) had to change from e.g. "Reddit Sync" to "Sync for Reddit" and they weren't allowed to use the Snoo character in their branding.
But in this case... why was Discord fine with this branding? It looks unabashedly like an alternate official domain for their own service. Googling "what is discord.io" leads to a good handful of confused redditors asking if it's legit/safe.
To those who used discord.io, what was the appeal of it over discord.gg? Unfortunately their site is down so I can't even see what its own marketing said.
How would one know if they're affected? I use discord but have no recollection how I signed up .. probably via first search hit (which could be an add)
Google also has their own people seemingly trolling through onion sites buying up packages of cracked data so they can run it against their own properties and see if anyone is affected.
Various darknet fora. Certainly nowhere on clearnet. There are search engines that deal with such things though I'll bet there's a 99:1 ratio of scam to legit. I have no idea how someone world go about validating what they saw.
Validation is likely tied to reputation - such as by showing a sample to an established moderator / community member and them vouching that the data seems real.
1. confirming the emails were not already listed in other databases / leaks;
2. going to the actual Discord platform and performing a "Forgot Password" request, entering a stolen email, and seeing if it goes through or not, as Discord confirms if an email exists or not during this flow;
3. contacting Discord.io directly, who confirmed & put out a statement.
Other data breaches are harder to verify. Troy Hunt (owner of haveibeenpwned.com) described this in far more interesting ways than I ever could[0], but for each breach, it varies.
Until recently, every time a story was run about a leak being "for sale on the dark web", you could visit raid forums or breach forums, both clearnet sites, and note that's where it's for sale.
I have a directory of most of them, I would not post it under my real identity obviously, but if you happen to be into the cybersec space, definitely you came across some of these sites, there are even sites with latest APT discovered up to this month too.
Why are all the other replies so mysterious and LARPy?
https://discord.io/ has been replaced with a termination notice, and they directly mention where the credentials are being sold. Google the name, it's the top result.
Leaked credentials are sold on the open internet, on sites indexed by search engines. This isn't some quadruple proxy Anonymous hacker TOR exclusive club.
Edit: One better - any time you hear Microsoft, or Google, or Crebs, talking about some new "advanced" "Russian" "APT", 9 times out of 10 it's a kid posting on one of these forums, reselling stale credentials, or a fork of Mirai, or some other totally non-credible threat.
This stuff is WAY less cool than people make it seem.
Ok so when I've never used a 3rd party discord service I'm safe.
I got scared there for a moment, but then I thought what would I lose? Nothing at all. Nothing that can't be replaced.
No contacts worth keeping.
Having OAuth creds is a totally different thing than having access to your account. I support "Log in with Discord" on my site that uses the OAuth flow and the only thing I get out is a set of creds that can hit /user/@me and let me say "the user that just authed is this Discord user." Now discord.io could have asked for everything but the risk of some random integration is on average a lot less. To my knowledge absolutely nothing has the rpc scopes.
The good news is that even with every scope you can't take over the account and the service can just be removed cutting off their access for sure.
[e: i apparently mistook discordio for a couple of the other discovery platforms we utilized, but it seems to be the same concept as the others, looking at the web archives]
discordapp back then was really just a collection of servers pretty siloed/insulated from each other, with barebones voice and text chat functionality.
discordio offered some basic form of discovery and cross-server exploration/networking when it was effectively nonexistent back then. it, along with other outreach efforts on our part, certainly helped boost our community size and amusingly also attracted a lot of teens approaching us to ask if we wanted to "partner up" with their server (i help administer a studygroup server on discord).
anyway, 'partnered', to my recollection, means a formal arrangement with discord where the particular server community is directly promoted by discord on front pages and such, in exchange for meeting a higher bar of conduct that represents a model community (SFW, PC, etc.).
one of the perks that comes with this is being granted "Level 3" boost status, free of charge (normally costing anywhere from $49-70/mo, depending on circumstances), which is what directly grants the custom link feature.
Do you still have it? I believe a discord I was on had it too, but then they made it a paid feature (boosting) and started taking it away from smaller discords. Or maybe yours got grandfathered.
It sounds like one would needed to have connected their discord account with this separate discord-related app. If you didn’t do that, I would expect your account wasn’t breached.
160 comments
[ 3.2 ms ] story [ 207 ms ] threadIsn't this explicitly against the Discord TOS? I'm surprised it wasn't shut down by Discord itself.
Darn that global Internet, allowing people to use unauthorized chat clients with impunity!
The use was not the problem; the name was the problem.
The problem here is that people are chosing to use Disord despite the fact that it is so stupidly proprietary. If Discord actually enforced it's rules all the time there'd have been far fewer teamspeak/irc/mumble/etc people lured into it's walled garden. It is a literal bait and switch.
So it's important to point out a large fraction of the ways people do use Discord are actually very much against the TOS and could be prosecuted under the CFAA as felonies if Discord corporate thought they were rocking the boat and decided to buy a district attorney. It's the worst of both worlds.
This has zero relevance to normal users. Does teamspeak/irc/mumble/etc even support live streaming with screen+audio capture to a group chat? That's a pretty basic feature in 2023. I'm not aware of any serious open source competitors in this space
pIRCh98 had video chat support, and back then we used some wrapper from FRAPS to do our screen captures.
Of course, back then, video chat was such a niche thing.
Everyone else is actually late to the game - IRC had this capability before the majority of known players.
Proprietary software. I guess the answer to my question is no, there are no open-source competitors in this space.
.gg and .io are being used for novelty value.
I found: kubernetes.io , sentry.io , codepen.io , itch.io , not to mention lever.co , elastic.co and last but not the least, notion.so .
A tourist attraction in Guernsey can very reasonably use .gg and maintain full credibility.
Thinking through websites I use in Denmark, I struggle to recall one that isn't .dk.
Supermarkets (netto.dk, foetex.dk), public transport (dsb.dk, m.dk, cph.dk), newspapers/TV (politiken.dk, berlingske.dk, dr.dk), University (ku.dk, au.dk), local government (kk.dk), other retailers (computersalg.dk, proshop.dk, elgiganten.dk) ...
The largest grocery delivery company uses nemlig.com, and Ikea uses ikea.com.
As another example, if I'm applying online for a visa to Thailand, that site had better end .th.
And for .io of course that one is/was popular among tech companies because it looks similar to “I/O” (input/output).
It is a little surprising given their field that they didn’t also grab the .io.
(My dog uses the native Discord client because he's too cheap to pay for a baby cam.)
Can you pay for Discord in grissinis?
Serious question though, do you use it as a dog monitor? That’s a good idea.
This way both my partner and I can check up on him if we both leave the house for longer and it's noisy outside. He's a rescue and sometimes gets anxious/loud, but he's getting better.
Side effect: once I came home to spot him with my brothers who live across the continent chatting and drinking beer.
Your last paragraph gave me a funny mental image of your dog sitting in front of a monitor, beer in paw, chatting with your brothers! :)
Meanwhile discord.io is free and you won't lose your URL to a crypto scam server when someone forgets to renew their boost. Kind of inevitable that such a service would pop up.
https://support.discord.com/hc/en-us/articles/360042987951-D...
I remembered vaguely that it was something different from discord.com, and was fooled by discord.io :D
If I try to sell computer gadgets under the name "Apple", leaving out the "Inc" isn't going to stop me from being sued.
0: https://www.icann.org/resources/pages/trademark-infringement...
No, because trademarks given by USPTO apply for a specific kind of product or service. It’s never a blanket protection for all situations.
So first on Discord’s website we see info about their company https://discord.com/company-information
Discord Inc.
Discord Inc.
444 De Haro Street
Suite 200
San Francisco, CA 94107
United States of America
And then when we go and search in USPTO we can see the registrations they have for the name “Discord”
For example they have
> Word Mark DISCORD
> Goods and Services IC 045. US 100 101. G & S: Social networking services in the field of gaming. FIRST USE: 20181000. FIRST USE IN COMMERCE: 20181000
> Registration Number 6254199
https://tmsearch.uspto.gov/bin/showfield?f=doc&state=4804:5l...
And they also have
> Word Mark DISCORD
> Goods and Services IC 041. US 100 101 107. G & S: online game services, namely, providing on-line computer games; organizing community cultural events; organizing community sporting events, organizing educational seminars, workshops, and conferences in the field of communications, online gaming, online communities and social media; providing non-downloadable webinars in the field of communications, online gaming, online communities and social media
> IC 042. US 100 101. G & S: rental of computer game programs and computer game software; online game services, namely, providing temporary use of online non-downloadable game software; providing computer game subscription-based temporary use of non-downloadable game software
https://tmsearch.uspto.gov/bin/showfield?f=doc&state=4804:5l...
And they have another few as well probably. Didn’t read all of them.
With this Discord can protect themselves and their reputation within their own verticals.
Other people can still have a decent chance of being able to register a trademark for an unrelated product or service named “Discord”, as long as it is noticeably unrelated to the existing marks.
So for example maybe I could start a theatre and get a trademark named “Discord” accepted for my theatre.
https://en.wikipedia.org/wiki/Mr._Brainwash
(Don't read if you don't want spoilers. Exit Through the Gift Shop is phenomenal and should be watched without knowing about this guy. Watch it, then read the Wikipedia article for yet another surprise.)
“Ghost Kitchens” have a more nefarious connotation than “delivery only” though because often it will be a single kitchen yet be advertised as many distinct restaurants. I saw one in one major city that was something like fifteen “different restaurants” operating from the same small space, which is sketchy.
But I think the person to whom you’re responding was relying more on the word “thousands” here. So given the connotation I think opening thousands of these things is pretty sketchy for some random YouTube personality with presumably no experience with restaurants to be opening simultaneously.
I don't believe the contract between him and VDC is out outlining the contractual obligations, SLAs, trademark and marketing issues etc.
There was a link to join a discord server via Discord.io that showed as a top Google result.
I clicked it not even aware it was 3rd party. Thankfully OAuth gave me the friendly confirmation page saying "You are about to connect with this third party service and grant full access to your account."
I said WTF? NO
Shame on the Discord legal team and their executive team for completely lacking diligence on this.
Granted, I don't use discord.io , so maybe I'm missing something.
> Salted and hashed passwords (mainly concerning users prior to 2018 when Discord.io began exclusively using Discord for logins)
So it sounds like they used to have their own accounts before integrating via Discord OAuth, and some users may be affected by this. Unsure if they didn't delete users' hashed PWs once they migrated to the OAuth flow or something like that.
They don’t seem to mention it on their website. I don’t see any guideline for how to respect their trademark: https://discord.com/branding
Now the question, does it risk dilution if a company doesn’t say what’s allowed.
Interesting. That about sums up my opinion of their development team.
At least according to the EFF: https://www.eff.org/deeplinks/2013/11/trademark-law-does-not...
> The circumstances under which a company could actually lose a trademark—such as abandonment and genericide—are quite limited. Genericide occurs when a trademark becomes the standard term for a type of good (‘zipper’ and ‘escalator’ being two famous examples). This is very rare and would not be a problem for Canonical unless people start saying “Ubuntu” simply to mean “operating system.” Courts also set a very high bar to show abandonment (usually years of total non-use). Importantly, failure to enforce a mark against every potential infringer does not show abandonment.
This is basically all that log in with Google requires or provides and asking for more access would be abnormal.
https://support.discord.com/hc/en-us/articles/360042987951-D...
But in this case... why was Discord fine with this branding? It looks unabashedly like an alternate official domain for their own service. Googling "what is discord.io" leads to a good handful of confused redditors asking if it's legit/safe.
But you can always check at the link below. That guy gets a lot of donated packages of cracked data:
https://haveibeenpwned.com/
Google also has their own people seemingly trolling through onion sites buying up packages of cracked data so they can run it against their own properties and see if anyone is affected.
1. confirming the emails were not already listed in other databases / leaks;
2. going to the actual Discord platform and performing a "Forgot Password" request, entering a stolen email, and seeing if it goes through or not, as Discord confirms if an email exists or not during this flow;
3. contacting Discord.io directly, who confirmed & put out a statement.
Other data breaches are harder to verify. Troy Hunt (owner of haveibeenpwned.com) described this in far more interesting ways than I ever could[0], but for each breach, it varies.
[0]: https://www.troyhunt.com/heres-how-i-verify-data-breaches/
https://discord.io/ has been replaced with a termination notice, and they directly mention where the credentials are being sold. Google the name, it's the top result.
Leaked credentials are sold on the open internet, on sites indexed by search engines. This isn't some quadruple proxy Anonymous hacker TOR exclusive club.
Edit: One better - any time you hear Microsoft, or Google, or Crebs, talking about some new "advanced" "Russian" "APT", 9 times out of 10 it's a kid posting on one of these forums, reselling stale credentials, or a fork of Mirai, or some other totally non-credible threat.
This stuff is WAY less cool than people make it seem.
The good news is that even with every scope you can't take over the account and the service can just be removed cutting off their access for sure.
discordapp back then was really just a collection of servers pretty siloed/insulated from each other, with barebones voice and text chat functionality.
discordio offered some basic form of discovery and cross-server exploration/networking when it was effectively nonexistent back then. it, along with other outreach efforts on our part, certainly helped boost our community size and amusingly also attracted a lot of teens approaching us to ask if we wanted to "partner up" with their server (i help administer a studygroup server on discord).
my 2c, as a fairly active user since '16.
anyway, 'partnered', to my recollection, means a formal arrangement with discord where the particular server community is directly promoted by discord on front pages and such, in exchange for meeting a higher bar of conduct that represents a model community (SFW, PC, etc.).
one of the perks that comes with this is being granted "Level 3" boost status, free of charge (normally costing anywhere from $49-70/mo, depending on circumstances), which is what directly grants the custom link feature.