I run forums, I write forum software, I am pro forums.
However I'd also add that it's important how to engage with a forum.
My top tips:
1. Financially fund a forum, but have the enthusiasts run it so it is arms length but official. If you run it, spin it up as a distinct thing so that future independence is possible and easy.
2. Bless it fully, point everything you have at it and have your support staff answer questions, and allow your engineers to go deep on details where they can. Transparency wins, if you can't do it don't run a forum.
3. Have someone else run it... That was #1, but it means "Don't moderate away dissenting voices". You will never have a more vocal and clear line of feedback to help you improve, you might not like it... your job is to either listen and learn, or to explain why you are where you are and not going to do something, etc. People aren't dumb, "for money" is a fine argument, but don't use moderation to silence feedback you don't like.
4. Forums are great for content that ages well, know your audience... it's not only the person you're replying to, it's the 1,000 visitors who will never create an account but found this issue via a search engine.
5. Don't use moderation to silence feedback you don't like! (Also #1 and #3). Don't even use threats of "we're withdrawing support" or "unblessing"... these are your users and customers, listen to them rather than fight against them.
I think #3 ("don't moderate away dissenting voices") is a pretty good line / tactic; it makes the community look more independent, instead of a "my product, my rules, I am absolute" community. I mean by all means be on staff, but stay out of forum politics - you are inherently biased towards e.g. criticism. Get some staff to help enforce rules / CoC / etc - if people are being dicks then ban them, but if they're providing feedback you don't like then just... leave it?
Having a community as a third party of sorts helps keep you unbiased.
Of course, that doesn't mean that you allow straying too much out of the topic. Competitor's product that does it better? That's for your improvement, don't shut off critics. Geopolitics? Well, you need to draw a reasonable line sooner or later.
Oh please do. This seems like the perfect time to bring this up:
I had a piece of software that used Discord for support. They required that users be verified, which requires you to give you phone number to Discord. I gave them my Google Voice number, which is the only number I have, and they rejected it because they don't support VOIP numbers. I asked them if there was any other way to verify my identity.
They told me, "Just use a friend's phone to verify. As long as they don't try to verify on Discord in six months it should be fine, we won't check again".
Their official answer to identity verification was to impersonate someone else!
I constantly run into this problem, I've used my google voice number for everything for years (yeah it's not a great move but very hard to migrate away from) and a frustrating number of services recently have been rejecting it for verification. I end up having to take the sim out of my laptop and put it in my PinePhone. It's such a hassle. This whole "you're not a human unless you have a phone number" thing sucks. Same thing with having a credit score. You're just assumed to participate in these systems even though there's no mandate to do so or protection for you if you don't.
Just a couple of days ago, I signed in to a gmail account using the correct username and password.
Gmail intercepted me and claimed to be worried that they couldn't recognize the device I was using. According to the flow, they wanted me to verify my identity in one of three ways: (1) I could verify the backup email address associated with the account; (2) if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?); or (3) I could provide a phone number -- previously unknown to Google -- on the spot, and then provide the 2FA code sent to that brand-new phone number. (How is this supposed to help them verify my identity?)
I went for option (2), the email 2FA code. After providing the code, I was informed that, before signing in to my existing gmail account, I must also provide a phone number and enter the 2FA code sent to my new phone number.
So I went back and went for option (1), typing in my backup email address. Same thing happened. Because Google "couldn't recognize the device I was using", I was not allowed to sign in to an account I obviously controlled without providing a phone number with absolutely zero authentication value.
I did find a workaround. If you attempt to sign in to an account afflicted in this way in an incognito browser window, Google will, for the moment, allow it.
Never ever ever ever give your phone number to Google for verification or authorization. People just don't understand how easy it is to find someone's phone number and then steal it for long enough to steal e.g. emails. Has happened, will happen etc. Like ssn, phone numbers were never made for this purpose. In fact phone numbers and services (e.g. SMS) are just the front end and are setup to be easy to redirect.
We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.
Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.
If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
> Never ever ever ever give your phone number to Google for verification or authorization.
You literally do not have a choice, last time I checked you had to setup SMS 2FA first. Once you’ve done that you can setup a better method and remove the SMS, but you have to remember to do it.
> If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
Even if it looks like you can disable it, I wouldn't be surprised at all if they'll still let you recover access with the phone number if you fail to log in enough times. They want people using their accounts, searching and using other Google $ervices.
What even more sucks that you need to first set up phone 2FA before you can enable TOPT. You can remove the phone number afterwards, but why make it so complicated?
I don't think it's down to the SIM. It's more they call help at the phone company and say "hi I've lost my phone, number 0123123. Could you transfer it to my new handset with another SIM in." Or similar. I had my one (with Three UK) transferred to some random fraudster this year. I got it back but it was a pain and potentially dangerous. In fairness to Google they didn't manage to get in to that.
Suggestion to phone companies: When receiving such requests email and text the user saying "we've had a request to transfer your number, contact us if not you" rather than just cracking ahead.
> Isn't the SIM supposed to hold all sorts of secrets to prevent that?
The process has a security hole by design: SIM cards can get damaged/lost (usually with the phone) and you wouldn't want to lose your number just because you lost your phone or damaged your SIM card by accident. This hole is typically exploited by attackers after they have identified a high-value target. You basically outsource the control over your account to a telco employee.
I had happen after a promotion that changed my LinkedIn title to something more prominent.
Still can’t prove what happened but someone ported my number from my carrier to Sprint and it took easily 18 hours to undo it. And it required convincing sprint, which I had no affiliation with, that the original transfer was not intended, and that yes I want to reverse it out.
It varies by country and the US is not very secure. In a lot of technically more secure countries social engineering and corruption are available for a determined attacker.
It shouldn't be an immediate problem if it's really 2FA: if the second factor fails, there's still the first factor. The problem is that many systems use phone as single factor.
It's especially nice when traveling. I was once asked by a client to do something while I was in other country about 5k km from regular location. Couldn't login to the apps account for this reason (no backup email or phone set). So I didn't do the work.
I suspect it's some work-life balance enhancing thing. :D
I don't really mind, since it also helps me bash Google services in front of my clients who still use them, without being aware of these failure modes.
Personally speaking, it's absolutely a no go service. I can probably handle service loss at home quite fine, but if I relied on google or other services with these "anti-abuse" features while traveling that would be very stressful. I usually print out everything important before departing so I don't rely on any electronics, anyway, because none of it is as reliable and as quickly accessible as a piece of paper or a bunch of cash.
If you look at the gmail login page, you may notice that they specifically recommend you sign in in incognito mode when using a device that doesn't belong to you.
Their expressed policy makes an interesting contrast with their behavioral policy of freaking out and locking you out of your own account if you ever try to sign in on a device they suspect might not belong to you.
And of course, they're godawful at recognizing whether a device belongs to you. They freak out and send me "urgent" emails (on a different gmail account) whenever my phone switches between wifi and the cell network. Responding "yes, that was me" does nothing to prevent this.
I imagine it has nothing to do with security and is more about tracking. A similar failure mode with apple is that I essentially need to own two apple products with the same account to accomplish things that should only need one apple product, like making a free download from the app store.
These features came online not long after there were news articles about journalists being hacked.
The fact that Google is inconsistent about it is probably due to Google generally not being good in UX and frequently making these kind of mistakes where it seems there are multiple teams doing their own things incompatible with each other.
>probably due to Google generally not being good in UX
You misspelled "product lifecycle management." Google's lack of accomplishments in this department is a testament to their research, innovation, and committment to the disciplines of Six Omega (6ω) process strategies.
Can relate on the freak out part. Recently I logged in and generated an app password and it triggered 3 emails per action and to 2 different emails I had as my backup.
I had that happen, too — even after successfully receiving the passcode at my recovery address, and entering it, they still denied login. Presumably it's a bug in their system (being generous), but who knows when they'll fix it, if ever?
I currently have an old (infrequently used) gmail account, with a valid recovery email, that I cannot log in to at all.
I don't have (or want) 2FA set up for it.
I tried an incognito window just now, and same problem ):
Just had this happen to me with my Microsoft/Minecraft account. I had migrated my mojang account 2 days ago and today I was told that apparently they "detected some activity that violates our Microsoft Services Agreement" and locked my account. They did not explain what the violation was and apparently it would magically go away if I verified my phone number (which they did not have before).
Gitlab docs say the absolutely bare minimum of RAM to run it is 4GB. And that's just for gitlab, never mind Postgres. That's something like $70/mo just to host some git repos on a major cloud provider.
And if you're talking about the hosted solution... we use that at work. We have what are effectively outages once a week on average.
I like the way Gitlab as a company is run and I really want to like it but... I use gitea at home and we're actively migrating away from it at work.
Can confirm that gitea's pretty nice. It's not heavier than a web-based git host should be. I really like that it has a SQLite database option, since that's plenty good enough for low-tens of users and operationally simpler.
I self host my repositories. In this way I do not care about either. But when I am searching for code Github proves to be very good source. I would not say that projects hosted on Gitlab are any better
I've actually found it hysterical. The phone number question seems to be for their data mining as well as evidence. But anyone can get into any email address when prompted this way. It is possible to send a text to someone else's phone, the servers connected to phones online are often polluted but many times they are not. You can send a text to those and get the code.
Or of course, just send the code to anyone and SS7 hijack that specific text message. You aren't hacking them, after all, you're hacking yourself or someone else.
>if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
I am one of those people using option 2, by virtue of keeping a lot of old email accounts that I have set up to forward to my main account. So I don't usually need to remember which account if was, and just wait for the email to come through from the void
Once upon a time not long ago, I got off from my flight into a foreign country (I don't have a SIM card that would work there). I turned on my wifi and was delighted to see they had a public network you can use. There was a captive portal, and the only sign in options (besides using a local phone number) were Facebook and Google. I chose Google, and entered my id and password. Google promptly went into the "sus" mode as you described.
Now I can't use option 1 or 2 because I don't have internet access until Google approves my sign in. I can't use option 3 because I don't have a SIM card that would work locally. Thankfully Facebook login worked.
That's when you turn on the DNS tunnel (https://news.ycombinator.com/item?id=7619259 ). If they somehow detect that and try to block, change your MAC and repeat. Those bastards deserve it for trying to force users into megacorps' services.
When I sign into a Google apps account I have associated with a school about half the time I am forced to go through option (3) whereby I’m asked for a number they can send a SMS to. I am never presented with option 1 or 2. Per the tenant settings which I do not control, 2FA is disabled and users cannot enable it, nor provide a backup email last I checked. Extremely frustrating- especially not being able to use a VoIP number, landline to dial, or set up a more robust TOTP generator or the like. Perhaps the school should codify the requirement for students have cellular service just to enroll, since it’s the de facto case already. sigh
How does that story have anything to do with being evil, by any stretch of the definition?
Are you insinuating that Google has this convoluted verification flow to intentionally harm people in some way? Or even to intentionally harm privacy or further business goals at users' expense?
Or are you just using "evil" to refer to anything you don't like?
>Or even to intentionally harm privacy or further business goals at users' expense?
Yes (and obviously).
Google, and other SaaS, have used such dark patterns to collect more user identity data (user profile info is what they ultimately sell - even if sold to advertisers "anonymized", the profile is richer and more worth the more data they have on you).
What never seems to come up is that as far as ads are concerned and with the amount and kinds of data that these companies are and have been collecting, your name is worth zilch. "Anonymized" is a red herring.
> How does that story have anything to do with being evil
Google forcing you to enter a phone number is dishonest/hostile and has absolutely not the slightest to do with any desire to make your account more secure.
It's basically just Google holding your account hostage to get your phone number.
It’s a false reason to collect more data by holding your Gmail hostage until you provide a phone number. It is a pretty shitty user flow with no benefit except for their data collection.
I think that comment refers to Google trying to know more identifiable information about the user: a phone number. Which adds to Google’s collection of private data, susceptible to more profiling and such.
As noted in the parent, in the given scenario the phone number provides absolutely no improvement in security or verification that the person who enters the phone number is actually the owner of the account. At best, granting Google the benefit of the doubt, it is security theater.
So, since it isn't effective for its stated purpose, are there other reasons it could be in place?
I had this problem this week too. I have a secondary Gmail account that is forwarded to my main one. I tried to login to it, they demanded a phone number (even though I do have access to the backup email), and wouldn't let me in because the only number I have is one that's already in use on my main account. I guess now you need one unique fully-functional phone number for ever Google account you have?!
> if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
Two options from the top of my head:
1. you have email forwarding configured so received mails will be delivered to another account. That's generally configured in the settings of the provider (I.e. directly under account settings in Gmail iirc)
2. You have a logged in device which receives mails through an application password. You cannot read it out because it's masked and even if you could, it wouldn't help you because it's only allowed to receive mails, not login.
I don't think this is particularly rare, honestly.
I have real anxiety about being locked out from "digital self" someday due to issues like this. Sometimes I really think this just isn't worth it anymore and I'm far too invested in "the Internet".
There's a workaround to fix an account afflicted this way, use a yubikey to add as a security key and then add a 2fa through the google authenticator standard (which works with 1password). Once that's setup google will never ask for your phone number again.
I seem to recall fb doing similar. It's similar to banks or telecom providers requiring a persons home address (or worse: to prove it using a utility bill).
Wherever I can I set up code generation / TOTP 2FA precisely to avoid lockouts. Then to avoid losing all of those whenever I change/reinstall my phone I opt for the less secure option of storing them in a password manager...
I can't think of another way not to get locked out in case I ever lose my phone.
Google, Paypal and a few others seem to be the worst offenders at "protecting me".
Yep, the latest example was my credit card company rejecting my GV number. They easily have the means to see that I've been using it for 10+ years and it's definitely me. Luckily they wanted my business more than they cared about that policy; a CS droid was able to "force" the system to allow it.
Requiring cell phone numbers isn't about anti-spam or 2FA or anything else these services and sites claim.
It's about linking your account to a real person identity, so they can sell that to someone - either live, or later when they get bought out (privacy policies almost always have a clause that allows them to just fork over all your info to whoever buys the company.) "Where was phone number 111-555-1212 at any point in time" is really valuable these days.
SMS for 2FA is less secure because cellular accounts are almost trivial to take over. Carriers never intended for their accounts to become so important to security. These days you can get a second password added to prevent shipping out a new SIM or transferring the account, but that's bypassable by a cellular store on the corner, and poorly implemented (my carrier just adds it as a CUSTOMER VISIBLE AND EDITABLE comment on my profile. WTF?)
If you get someone's unlocked cell phone or a SIM card, you can get access to their email account, their bank and credit cards...damn near everything. How fast can you lock and wipe your phone if it was ripped out of your hands while you were using it in a public place?
> It's about linking your account to a real person identity, so they can sell that to someone - either live, or later when they get bought out
Yeah, this can't be emphasized enough. Phone numbers are established as universal identifiers. Discord is sitting on a giant heap of personal information including DMs from millions of young people. It is all centralized, both in terms of data, and in terms of accounts (instead of them having to correlate an account between multiple forums, most of which volunteer run and they don't turn over non-public data for money), and also associated with phone numbers. Making multiple accounts for different areas of life is made hard. Beautiful for whoever has access to the data.
Asking for information for one purpose and using it for another is amazingly user-hostile and abusive, and it's an almost universal practice for technology companies.
I first noticed phone number abuse with facebook, which asks for a phone number for "security" but then uses it to match you with advertisers.
It's the same scam that sites have been running for years where you have to use an email address as a user login, and that address is instantly added to spam lists.
"Sign in with Apple" is hilariously useless since privacy-violating apps can just require a phone number for "security" or "verification" purposes.
It's 100% about linking identities between services. I've had my cell phone number for 25 years. It's basically a lifelong identifier at this point and I constantly have to use it for low value online accounts. I wish I could go back 10 years and get a dedicated phone number for online verification.
The security side is a total lie as well. Your post made me think about the biggest risk for myself and, like many people I know, I put my email address on my lock screen so that if I lose my phone someone can get it back to me. Now it just clicked for me and I realize I need to change that because if I lose my phone someone has everything they need to recover a lot of my online accounts. My Google, Microsoft, Amazon, etc. accounts all use that same email address and all they need to do to perform SMS recovery is put my (unlocked) SIM in another phone.
> This whole "you're not a human unless you have a phone number" thing sucks.
Oh it’s even worse than that. I have a land line that I use exclusively for when I’m forced to give a phone number (and also for faxing doctors and lawyers which is apparently still a thing). Many internet forms reject it because it can’t accept text messages. Yeah, that’s the fucking point. I don’t want text messages from your shitty service. It’s still a legitimate phone number you can call. Don’t ask for a phone number if you won’t actually accept a valid phone number! FFS!
Yeah same. ETrade recently changed their phone verification system and can no longer send me a text message to verify my identity. I'm actually ok with that because it forces them to use the security token instead, which they should be doing anyway!
And often I'll run into problems with silently failed messages because they don't accept the number.
I think this is completely different than having a credit score.
I’ve never ‘needed’ a credit score unless I was requesting a line of credit. I’m which case a credit score is better than the alternative where I need to personally know someone that the lender already trusts and trusts their ability to trust other people.
You don’t ‘need’ a credit score but if you want a line of credit then it’s good to have. Otherwise you get the products that they offer to high risk individuals which costs a pretty penny.
A credit score is used as a trustworthiness analog in arenas other than lending. For example renting a house or car, and some phone companies won't give you access to a post-paid plan, all of which can have a stratifying effect. The idea that because I don't take on debt that I am not trustworthy is wrong. I can pay a larger security deposit to offset risk, but often times that's not an option.
I've also heard tell of employers using credit checks to evaluate potential employees though I haven't researched that.
I believe that grandparents point was that by not taking on any debt they don't have a credit score which can be verified. You can't verify something that doesn't exist in the first place.
I thought their complaint was that without a credit score, businesses don't see them as 'trustworthy'. The OP separated 'trust' from 'credit score', and says they shouldn't be conflated.
However since all of the OP's examples involved credit (car rental post-pay, phone usage post-pay, etc.) then in those cases trust===credit score. Without a credit score, you're basically asking someone to trust blindly that you'll pay back a debt since there's no track record of your ever paying back debts.
The problem is that I don't have an alternative method of proving my trustworthiness and as a result lose access to some products. Often times prepaid plans are not equivalent to postpaid plans, I can't just put a security deposit on a rental car to offset risk, etc.
Why just communities be forced to accept everyone? Or even be nice?
When in a group of friends we can often times not “be nice” however because we know each other, we understand it comes from a place of love.
Perhaps it’s a military background thing, but exclusivity has its benefits.
> I end up having to take the sim out of my laptop and put it in my PinePhone
Just in case you are not aware, you can receive verification SMS on your laptop as well! On Windows 10 there is a built-in app simply called "Messaging" which shows you all the SMS received on that number. I'm sure something different exists for other OSes.
This is what I do when asked for a verification number and there is absolutely no way around it, I just put the phone number of my laptop's SIM card, that way I don't have to worry too much about spam too because I will never use that number in a real phone.
Nice, thanks for pointing this out. It's fucking annoying that I'll have to figure out how to install the Windows Store on my computer to get an app that can receive text messages, something that you know, should be available through a pipe/file/tty or some dead simple interface since it's not exactly rocket science to receive 160 characters of text.
Sure, WWAN modems are not only a thing that exists inside mobile phones. ThinkPads (and I'm sure other business-oriented brands as well) often (always?) have optional slots for WWAN modems, so you can use them for a mobile internet connection without tethering. I've been using that feature for over ten years now.
In my older ThinkPad, the SIM was a slot behind the battery. In a later model, it's a tray that has to be opened with a paperclip next to the card reader. The modem itself is a mini PCIe card like they're used for some laptop SSDs and antennas are in the screen like wifi antennas.
I’m sorry you ran into that problem. I ran into the opposite problem, of thousands of fake accounts a day using VoIP phone numbers to create accounts. Almost all of them were fake/abusive when they were investigated manually. Blocking these numbers felt like the sensible thing to do, because it made the abusive account creators spend more time, money and energy creating their accounts. I’m sorry it impacted you.
Using SMS as a login verification thing is just so irritating. My bank asks me to enter an SMS OTP every time I login to the website. I know my username and password! Let me into my bank account!
They're trying to do that to break 3rd party financial integrations. Not for your security but because they think they deserve to get paid for your data and these other people haven't paid up.
Credential stuffing is a widespread problem. Im sure everyone on HN uses a password manager and different passwords for every service, but many people don't.
It's makes a lot of sense for a high-value target like banking to require 2FA, but SMS is the worst way to do it.
I've had a Google Voice number for so long it's the only voice number I have these days. I can't say it's a recent experience that it doesn't work with certain things though it has been a recent experience the things are aware it doesn't work and will alert you. Overall though I've yet to run into anything I couldn't use an alternative method for authentication be it luck (e.g. got into Discord before they required phone numbers) or email or calls being a thing (and working when text doesn't).
Ironically the biggest PITA I had was when I decided to migrate my primary cell number to Google Voice it was my fallback contact number. Thankfully I only ran into that as an issue once and was able to get back in to set up Google Authenticator (which was also new and hip at the time).
As one point of anecdata, the IRS refused to honor my Fi phone plan because it didn't have my name and mailing address registered on it (or at least to their satisfaction). I don't know if they still require a post-paid cell phone plan for their auth scheme or not, because I gave up trying to make it through after about 6 months of requesting magic codes through the USPS
Anyway, that's a lot of words to say "MVNO" is for sure not identical to "any other cellular network" for a certain class of interested parties, in the same way that pre-paid credit cards are not the same as other credit cards
Isn't it a shame how the world got Google Voice backwards? The savvy among us saw it as a way to present our one true phone number/identity to the world, and have options for different back end phones and services we could use. Cell phones, land lines, Hangouts, computer voicemail, all that. But the average schmoe sees Google Voice as a way to get multiple disposable numbers to sacrifice to spammers and bar hookups and commit minor fraud. So it became useless for its main purpose: being your phone identity.
Every one used to use your social security number instead to uniquely identify people but that was made illegal because of the many problems this caused. But company's want a unique identifier for people. Now that everyone has cell phones people never change their phone number so it is a great unique identifier that is legal to use. Not enough edge cases, yet, like yours too worry about. Maybe it will be made illegal in the future.
Thanks for the info. I guess I remembered when companies stopped printing out social security numbers on everything (badges, informational letters, etc.) and using them generally due to, probably, this California law[1].
I had been using my gv number for 9 years for everything as well. I recently ported it out of gv into my mobile carrier since no one knew my carrier number and I was running into too many annoying voip restrictions. So far I don’t miss gv.
> You literally put a sim card into a phone for it to be treated as a cell number?
Well of course -- the SIM is the (as others have pointed out, "currently assigned", yada yada) phone number. So what else would any device with a working SIM slot be treated as, than a cellular device?
Or to be really pedantic, 'is currently assigned a particular' phone number.
Since you can change phone number without changing SIM (I don't know if it's global, but in the UK you just text a certain number for a transfer 'PAC' code) and clone them.
My laptop has a built in cellular modem, I find that being connected to the internet constantly is much more useful in a laptop form factor. Phones mostly just try to serve me ads in invasive ways and I'm not here for it.
Yeah, I'm sure it's possible to do so, but unfortunately my BIOS locks me into the OEM modem, there is no linux driver for it and the windows one is not documented so no luck for me in that regard. At some point I'll pour some more sweat into it and try to unlock the bios or something but sadly for now this functionality that my computer absolutely has is unavailable to me.
Same with getting NMEA sentences off the GPS, I have to use windows' idiotic location API for that. 9600 baud serial worked just fucking fine, I don't understand why that isn't available as well. It's so annoying that I have to fight this hard for functionality my hardware already has.
Whatever comes with should work mostly fine, whitelist unlocks are for those didn’t option a WWAN. All WWAN modems are same, usually they have 3-5 serial ports for modem control, data, debug, and NMEA. My hunch is your ttyS2 takes “GPS enable” command and it’ll start murmuring it on ttyS4.
None of the TTYs that Windows exposes will even let me connect (access denied error even as admin) and there is no Linux driver, or maybe there is now with very recent kernels?[0]. It would surprise me if it worked well but I will spend some hours to find out soon. Intel/Fibocomm don't provide support for their modems except to OEMs afaik and I don't see any mention of successful connection under linux w/ my modem. (Fibocom L860-GL/Intel XMM 7560) around the internet. I have tried with some other LTE modem (model forgotten) in the past and I wasn't able to see it under Windows or Linux at all.
[0] says it also supports MBIM which is supported ootb with ModemManager and somewhat recent kernels. If your BIOS does not allow this, you probably need to tape over the PCIe-Pins with some non-conductive tape.
Phone verification can certainly be annoying, but anyone who's been part of large Discord communities will know that spambots that DM users with all kinds of scams are a huge issue. Phone verification stops someone from raiding a server with it enabled with hundreds of bot accounts. As for VOIP numbers not being allowed, that also makes sense; VOIP numbers are extremely cheap and allowing them to be used would defeat the whole purpose of phone verification.
Personally I think that giving server admins the ability to require phone verification is a good thing. It's not mandatory and it's only used if the server admin enables it. I don't think it's fair to blame Discord when it's a choice made by the server admin, plus a forum could have the same requirement.
My problem isn't with the phone verification. I totally understand why they do that. I don't even have a problem with not accepting VOIP. I get why they do that too.
My problem is that they don't have an alternative, and there is no way for channel admins that turn on that feature to know how many people can't get in because of their choice.
They should either have an alternative way to verify oneself, or a way for the channel admin to allow you in without the verification, or both.
That being said, anecdotally I have heard Discord locking/terminating accounts without verified phone numbers (usually if suspicious activity has been detected).
Definitely, I agree that phone numbers are a flawed verification method. Something better needs to be created, but I can't think of anything that wouldn't have the same or different flaws.
There’s an ID verification service, at least in the US, where you go to webpage A who wants you to confirm identity, A then redirects you to the service. The service asks a bunch of questions like ‘which of these cars have been related to you’ or ‘which of these addresses belonged to you when you lived in town x?’
That generates a score where the service determines if you are who you say you are and returns the result to the calling web page.
But I assume it uses background check/credit check information which may be limited to the US and is a paid service as compared to phone validation.
I've had good luck answering those questions by pretending I know nothing about my own life, and using only information I can find from search engines to answer those questions (eg "What city is LAKE STREET in" - search for each option they give you to see if it has a Lake St). The few times this has failed (probably 70% success rate), they usually just want to send you a letter in the mail instead. I'd much rather wait a few days than end up confirming their surveillance records about me.
The difference though is that verification through phone numbers relies on money that you've already spent, which is a lot more reasonable for the majority of users. People would still be unhappy if they had to pay 5 bucks if they didn't own a phone.
Its about increasing the cost of spam right? For some money is better than using your phone number, for others, they can continue to use the phone. Neither is exclusive of the other.
I know for some they would definitely choose the $5 over the phone for very good privacy reasons.
Less unhappy than the current situation where they can't use the site at all.
Also there's precedent of sites doing this. MetaFilter charges $5 to create an account. The bitcoin wiki used to require a fee (in bitcoin)[1]. Something Awful forums have a fee.
There’s a bot that will ban most of those spam bots called Beemo. You realize a lot of bots are verified right? I’ve seen scripts to verify accounts on GitHub and spoken to the kinds of people who would automate accounts via scripts just to have a bunch of alts. They get numerous alts into servers just to spy. Its a kind of art I guess. I wouldn’t recommend doing any of these things.
Personally I just wish Discord wouldnt rate limit bans if they’re not going to make a true effort to catch these bot farms. Gee I wonder how likely it is that three thousand accounts will decide to join the same exact server at the exact same minute? Having modded a decent (tens of thousands) sized Guild I gotta say people pop in every few minutes or seconds. Unless something big and relevant to your server happens that draws more traffic, but even then never thousands in seconds.
Spy bots get away because they don't spam or do anything weird. No one is sitting there auditing users who haven't spoken much. Spam bots will end up with their account banned and phone number blacklisted.
Yeah, they definitely need to do better, but forums can have the same phone verification requirements, it's not really a negative of Discord compared to forums in my opinion
>As for VOIP numbers not being allowed, that also makes sense; VOIP numbers are extremely cheap and allowing them to be used would defeat the whole purpose of phone verification.
Cool, except whoever or whatever is deciding what is and isn't VOIP is not doing a good job at making that determination. A few years back I ported my old cell phone number to a VOIP provider. I now have a new phone number on a different carrier. $OldPhoneNumber is apparently not a VOIP number and $NewPhoneNumber is. So I had to use the $OldPhoneNumber on a VOIP provider to verify my account because $NewPhoneNumber with a carrier wasn't acceptable.
But hey, it's their closed platform and they can use whatever means of keeping people off of it that they want. I don't really care for it anymore.
That's not true at all. At any point your account can be flagged by their internal system and on your next login you will be forced to add a phone number "for security purposes". It happens to people all the time, but in particular, though not limited, to TOR and VPN users. So, yea, sure Discord's not at fault in the situation where a server admin turns on the phone number requirement, but they are definitely to blame when they force users, some who prefer to remain anonymous, to either give up personal information or lose their account forever (support will not help you).
Not sure if this can still happen if you've got 2FA turned on, but seeing as I see it mentioned more often from tech literate people (e.g. on here) who are more inclined to setup 2FA I doubt it makes a difference.
Phone verification would be fine if discord had support for multiple accounts/identities. It's a fundamentally important feature of any online social service to be able to retain privacy and have different identities for different purposes. Discord makes this very difficult.
If they allow the user a chance to send an appeal or out-of-band alternative method to verify then this becomes less of an issue. It's when people presume certain baselines — like a phone number — that it becomes a showstopper to community.
I have seen Discord servers that use 3rd party verification systems, but very rarely. An alternative to phone numbers would be ideal, but there will always be flaws similar to the flaws of phone verification in my opinion.
I totally get all the frustration over phone number verification but it simply is the easiest and most effective method. It's really hard and expensive to get more phone numbers while every other method is easy to get unlimited accounts. Almost every country has phone numbers tied to ID as well so you can report the worst of users to local police.
Discord pushes SMS verification because it a)gives them your identity which is valuable and b)avoids them having to spend money on proper bot/troll mitigation.
VoIP number bans don't accomplish much because there are lots of services that sell real-sim-backed numbers and nowadays there's even eSIMs.
Not just that. Why do you need to share such private information for every service out there? It's pure madness. It is, and will be used for tracking you online everywhere.
I have a regular phone number in Singapore from a new range of numbers that doesn’t work with many services, even with some government services.
Customer care typically replies by having me first prove that the number is real (by showing a phone bill for getting an verification OTP, think of the irony) and then goes silent because they can’t work around their (human) robot way of thinking when something is unaccounted for in the handbook. (Already shifted a significant portion of my regular spend on groceries to a different provider, but they don’t seem to care)
It’s very frustrating because there are other ways to prove my identity (government even provides a digital Id / signature app) and contacting me.
Services should work with the minimal needed set of properties from the user, discord and slack are very annoying , there’s no need for all this hassle for a small question. I would spend the extra time looking for an alternative product where I can than signing up.
What happened to people caring where users drop off in the funnel?
Losing a user or customer once you’ve spent all that time, effort or money acquiring them by having barriers that don’t have any benefit is just silly.
On the other side of there are bots that impersonate users to send spam or raid servers to overrun moderation and “DoS” the server’s communication. Part of the value proposition of running on Discord or Slack is that they handle offloading a large amount of user verification/spam prevention and moderation tooling. The only one you really have to do is manage rules and have some sort of rotation so at least one moderator is online to handle potential issues.
Is this the only viable solution today? Fully opt in to a provider that isn’t user friendly?
For a free service maybe ok, but then you typically shouldn’t have the bot problem to such an extent if it’s small enough.
For a paid service: no way, please find a way around this or I’ll find a way around your service as soon as a problem pops up and causes me extra inconvenience just to sign up.
What I like about forums is that a) they're indexable by search engines! and b) because there's no expectation of an immediate response, people tend to put more time into their requests for help.
I support a FOSS project via Slack, and information sparse requests are sadly the norm, I found that 95% of my responses are "Can you please provide more logs/configuration/actual description of what you were expecting, and what happened instead".
> What I like about forums is that a) they're indexable by search engines! and b) because there's no expectation of an immediate response, people tend to put more time into their requests for help.
For me there is also c) I can browse the content that is already there without signing up. Not going to join your Discord "server" when I don't even know anything about your community.
>Not going to join your Discord "server" when I don't even know anything about your community.
Why not? It's just as easy to join a discord server as to visit a site. If you don't have a Discord account already you can just type something random for your nickname.
Click the link, hope you're not inadvertently joining with your porn account, type a nickname, sit in the waiting room for 10 minutes until you can click the emoji that says you read the rules, get in, get notifications from unrelated channels because someone used @here begging for boosts, write out your question, get pinged again by a bot because you levelled up, then discover it wasn't the server you were looking for after all.
I don't think it's really about identification. Binding user accounts to SIM-based phone numbers is an effective way of limiting account creation as it's effectively binding it to a physical token.
I can only guess why Discord wants to do this (fighting scam bots?), but for example for Tinder this is a very effective way of preventing abuse on the huge early discovery boost after signup or long inactivity.
I understand why they do it, and I have no problem with that. My problem is their lack of an alternative. Either have an alternative way for me to verify, or a way for an admin to let me into their channel without verification.
what if that alternative was "worse" than the phone number method? Would you then complain that there's no "easier" alternative?
For example, a photo-id as an alternative, which imho is way worse?
The problem with presenting an alternative is that if it is "better/easier" than phone number, then it gets exploited by the spam bots. If it's worse than the existing phone number method, then you'd have the exact same complaints, or worse.
The real issue parent and many sibling comments are running into has answers all the way down in individual liberty and sovereignty. Technology companies have pulled out the rug from under us to deliver the illusion of convenience and safety. Benjamin Franklin seems to be ever relevant: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
But we're here now, and as much as I might fantasize I can't make myself believe that anyone would willingly accept a significant regression on the convenience front. The only way out that I see is to reconstitute sovereignty in a modern form.
We need "something" and I think we're getting close. Web3, dapps, and cryptocurrency are all aiming in that direction, and even if some instances are a miss I think we'll hit it eventually.
This is super frustrating. Discord requires server operators to enable phone number verification if they want any of the additional "Community" features. It's a hugely backwards requirement and it's the main reason I haven't given the community feature set a second look for any of the servers I run.
> Members of the server must have a verified email on their Discord account before sending messages or DMing anyone in the server. (Note that this doesn’t apply to users that have assigned roles!)[1]
I also help with running a community server which doesn't have the phone number requirement enabled either. It's also not required for partnered servers as far as I'm aware.
You can even get around the email requirement if you just add a bot that gives every new user a role, since any role will automatically verify you as mentioned here.
Ah, I was misremembering whether email or phone verification was required. Either way, it's still a very heavy-weight requirement for what's basically a drop-in drop-out support channel for us.
From what I see the only verification related setting you need to enable for community features is the member email verification requirement - Please correct me if I'm wrong.
I have to imagine that most SWATTING is done using a VOIP number of some kind. No one would use their cell phone or land-line connected to their real identity (also: your real identity likely isn't physically located in the area you want to perform swatting. You wanna change your area-code to match the target)
It's also not required by discord. Discord doesn't even require that you have an account. They leave it up to "server" admins. You can pick options from allowing guests, allowing only accounts, and requiring only phone number verified accounts.
Any alternative would have to be inconvenient by design in order to work though, that's why phone numbers are used in the first place.
An effective verification system usually involves money at the root; verification in the style of phone verification works using proof of ownership of a limited resource, and most limited resources cost money (phone numbers, IPv4 addresses, etc).
In the real world this is analogous to charging money for access to an event purely in order to ensure it's not overrun with attendees,improving the experience for people who care enough to pay to get in. There are similar downsides to this; people who don't have money are left out.
Why not? It still limits bot creation (same number can only be used every 6 months). They don't actually want to know if the number belongs to you. Not much different than using a burner number.
> Not everyone has a friend with a phone that doesn't use discord that they can use.
I believe Discord can afford to ignore those 3 people. Not saying it's convenient for the user, but it's not enough of an issue to encourage Discord to find a solution.
One of the best ways we can educate people is not being reachable on these sorts of platforms. Delete your Facebook accounts so you can't be reached on Messenger or WhatsApp or Instagram. Delete your Discord account so you can't be reached on Discord. Delete your Clubhouse account so you can't be reached on Clubhouse.
That is bad enough, but the worst part is that the content is not really discoverable outside of Discord. Sometimes you don't want that of course but I have seen communities pretty much dying because they only met there with no influx of new users.
You’re probably deleting its cookies. I had the same problem until I set up a (Firefox) container for it and whitelisted its cookies in that container. Now, no university reminder and no need to re-login either.
(I use the Cookie AutoDelete extension to automatically delete cookies.)
I used a VoIP number with Discord, because, f them, "I don't [need to] have a mobile phone". Also I think we should call ADA violations on any company that requires people to have a mobile phone.
It's possible to use a VoIP number. Happy to share how if you can prove to me that you don't work for them.
Hmm, something in my uBlock Origin filters blocks their signup page.
Anyways, I've been using https://www.numberbarn.com/ for SMS-based 2FA for a few years. Works great for stupid services that demand a US phone number (I'm an American who lives abroad, grrr) and don't have time-based one-time passwords.
just wait til they roll out 2FA with the phone number being needed for a confirmation call (no authenticator app, there was a bug found in auth app 7000! voice calls only way!)
I just wish people would use a system that's integrated into where the code is. I don't want to have to register for a forum when GitHub has a perfectly good ticketing system (and now discussions), and yet I have to register at another place where my details can be leaked from because who knows the technical capability of this one single person who may or may not have done any security.
If it's a company, please have the forum integrated into your software.
I seriously do not want yet another login unless there is a good reason. It's ridiculous. I have nearly 700 logins in my password manager and I'd say probably 500 of those items are websites I've registered once to ask a question (quite often questions that go unanswered). Half of these forums do not even provide the capability to removing my account without contacting the admins, which is just an unnecessary hassle.
> If it's a company, please have the forum integrated into your software.
Counterpoint. Other companies absolutely suck at making forum software. It's because it's not their core business, so why would they put more than token effort into it?
Edit: upon re-read this seems to be exactly what you are suggesting, so please disregard my reply.
The solution here is a forum set up with robust and plentiful SSO solutions, so existing authentication providers can be used.
I’m a believer in just creating a subreddit. It’s free and easy, many people already have Reddit accounts and it’s a much better forum than the ones that would be self-hosted, including moderation tooling and bot ecosystem. The threaded discussions are also better than what Github offers.
I agree that subreddits have a very low barrier to entry, but all that comes at a cost. Among other things, one of those costs is that your content is no longer owned by you.
Should Reddit decide to take itself private, or make ethically questionable decisions, etc., you are locked in due to the networking effect.
There’s risk in everything…self-hosted forum software run by an open source project also has a potential of going offline, either because hosting becomes onerous/expensive or some sort of database issue. Discord and Github have the exact same potential you’ve mentioned for Reddit. There’s no perfect answer.
Right. Good luck having a conversation as the channel grows. There's been several times where I've joined a channel, asked a question, and my question is gone from the screen before anyone is able to answer. Slack/Discord are way better than Telegram for support.
The biggest downside of Reddit is that it's so darn hard to find your own posts. The Reddit search seems completely broken for this, so you rely on DDG/Google etc. but this is far from perfect.
I downloaded all my messages with some script, but that doesn't seem complete either since there are messages missing I'm *sure* I posted on Reddit. It's also not very convenient.
Why do I want to find my own posts? Sometimes I write something at length explaining X, and then a few weeks, months, or even years later someone asks about X again and I want to link my previous detailed post.
IMO if you write "at length" explaining something, copy that to your own blog or at the very least a markdown file on your own computer. Don't rely on a 3rd party site for archival.
I usually save things (not just Reddit comments, also HN etc.), generally speaking the bar of what I publish on my site is higher than what I may write in a comment. Sometimes I get around to polishing stuff, sometimes not. Other times it's just too specific to really publish on my site.
Finding stuff in the chronological list takes forever.
You need a certain amount of reddit karma to make a subreddit IIRC. You can farm it, but it's yet another thing unrelated to working on your project you need to do, plus it takes time (could take days).
The whole process is opaque too, it feels distinctly like "we have arbitrarily bestowed upon you the privilege of operating subreddits... for now".
I like the reddit format so I've tried this option myself.
I wrote this a year ago as my employer was starting up their forum[0]. While we have since added slack, the forum is the main support mechanism for our community (people who pay us money get support tickets).
I still stand by that choice for:
* SEO
* durability
* question quality
I can't recall the exact numbers, but something like 5-10% of our overall traffic is to the forum.
FusionAuth is a pleasure to work with. Thanks for the work and documentation :+1. You folks done saved me a lot of time, hopefully if I make a dollar will pay it forward.
I think "less capable moderation tools" is really underselling how purposefully useless and nonexistent Slack's moderation tools are for open communities. I cannot overstate how terrible Slack is in this regard.
To be clear, I really and truly don't fault them for this: Slack's always been clear that their focus is on business communication, which is a totally different animal when it comes to moderation needs. Discord is nearly infinitely better in the sense that they have any tooling at all, but it's still considerably far behind the resources I've got when moderating a large Discourse instance.
I understand your pain. Even simple things like moving posts from one channel to another aren't possible for an admin to do in Slack, although this has been basic forum functionality since...ever?
Do you not have seperate channels for that sort of thing? We have a channel called "big-wins" where the sales people can flag up new/extended deals. I have it muted but check it out from time to time to see if we've bought in any interesting customers.
Channels and channel discipline are the key to keeping Slack manageable. Have lots of channels with specific purposes and people can choose what they care about and ignore the rest.
Urrgh. We don't have a general channel for exactly that reason. We have a channel for general chit-chat that is nothing to do with work but that's as close as it gets. Anything else work related goes into subject/team/project specific channels. We even have a shoutouts channel specifically for bigging up someone who has done a good job at something.
general channels are cancer in any communication system as far as I've experienced.
I moderate (but I’m not admin for) a ~5k member Discord server, and the only tool I know of to move conversations is to tell the users to take it to #other-channel.
I tried adding this bot to my server, Discord gave me an error.
"This bot can't join more servers as it has not been verified or is requesting gateway intents it has not been verified for. Ask the bot's developer about https://dis.gd/bot-verification so you can add it to your server!"
I know that you're probably not the dev, just posting it here for visibility.
I prefer forums due to similar reasons, but I found asking questions as a user on Discord more "successful", so to speaking.
On a forum, the chance of your question being totally ignored is much, much higher. Some do have some staffs that seem to be obligated to reply, and they will just.. copy and paste some templates.
On Discord, even the devs and staffs are not always there to answer questions, there are often enough other users that can help you, and they are willing to discuss with you if details are not clear (as soon as you're polite). Even though they don't always solve the problem, you can tell someone actually looked into it. And all these happen in real-time, without at best half day delay between each exchange (it helps that Discord is hella popular so lots of people are online all the time, and the chance to notice your message on a server they're in is much higher. Can't say the same for any random forum.)
I still prefer GitHub issues, but after that, Discord. Forums (or the communities it normally forms) really don't cut it.
I totally agree, and I believe that was also the reason why IRC was so successful in F/OSS communities.
Traditional thread-based forums are great for archival but also seem to encourage a full-sized post, which is a conversational barrier by itself and also limits the potential engagement by reducing the number of people willing to reply. It doesn't seem to me that the discouragement of short posts is inherent to forums though, for example traditional South Korean forums had been traditionally evolved from BBS and had a strong dichitomy between posts and comments, so short comments and quick reactions were norms (longer replies are typically posted separately in a post). GitHub issues seem to be somewhere between those different models.
This. I help moderate for the community surrounding Obsidian.md. We have a discourse forum, a subreddit, and a discord. The discord is by far the easiest place to actually get help — and not because the forum isn't active (it is) but because it's real-time and there's always someone around.
Whenever I have to go find a forum for a product I'm using that doesn't have a discord, I have to twiddle my thumbs for a day before maybe getting asked a clarifying question.
Sure, there's a "static knowledge base" but in my experience, most search features suck for figuring out if something has already been asked before, but at least discord doesn't make you feel dumb for not having found the old relevant thing already. Plus, it's a lot harder than it used to be when I was active on jcink boards to actually trawl all the new content (a problem for me because I write the community newsletter every week — consistently the one thing I don't actually read all of is the forum. I'm able to keep up with everything else, including twitter).
I understand the value of threading, but don't underestimate the value of linear, chronological thought, either. As a moderator, there's a lot of emotional relief in being able to be sure that I saw everything, and didn't miss a new comment in a thread I stopped reading a week ago.
+1. Also, IMO many users already use Discord for other purposes, so they're more likely to check your project's channel while checking other things. Meanwhile, nobody really goes out of their way to look at a project-specific forum, not until that project build sufficient momentum.
Dev teams also benefit a lot from having an async way to discuss bigger issues that require thoughtfulness and long form answers, especially remote teams. There's a reason mailing lists are still somehow alive and well in open source projects that have been remote first for decades.
We're using discourse internally for this (in conjunction with matrix) and it's allowed us to have discussions I don't think we would have otherwise had.
Prior to Slack I spent many years as an OSS maintainer. I also participated in a Slack channel that discussed my OSS tool's general problem space. That Slack workspace was on the free plan, so messages older than 6 months were memory-holed.
In practice that wasn't too big of an issue. Most developers understood that GitHub was the place for concrete actionable things and long-term discussions, whereas Slack was the place to build relationships and address burning questions quickly. Most developers understood this distinction, though occasionally some would have to be steered towards GitHub when discussing potential bugs that benefitted a proper write-up.
I also worked at a large company that paid for Slack, and it was much more of a long-term memory resource. But as always, whenever I found myself repeatedly searching in the message history for a particular piece of information it always made sense to put it somewhere more defined — in a readme or some other sort of document.
At Slack we have the same basic breakdown — Slack (the software) provides a really useful context for why certain decisions were made, and in a pinch the search feature is great for finding particular nuggets of information, but that doesn't stop us using Quip, GitHub and Jira for tracking longer-lived information.
As an end user, I find that in practice most projects don't actually move any information to a suitable spot.
I can't tell you how many times I've Googled an obscure error message and the only two results were the source code where the error came from and that self-hosted, open-source Slack alternative that Google can index. At that point, I already went to check the source code, and when I click the chatroom where the message is supposed to be, I reach some kind of archived page that's clearly at completely the wrong place in the chatroom history with no way to find what I was actually looking for.
At least the open source clone is searchable, so many troubleshooting could've been avoided if people had used forums rather than Slack/Discord/Mattermost for "support forums".
If they'd been using a forum, would you have a good record of the solution? Or would the problem just never have been solved? The low friction of slack-like tools matters.
However I'd also add that it's important how to engage with a forum.
My top tips:
1. Financially fund a forum, but have the enthusiasts run it so it is arms length but official. If you run it, spin it up as a distinct thing so that future independence is possible and easy.
2. Bless it fully, point everything you have at it and have your support staff answer questions, and allow your engineers to go deep on details where they can. Transparency wins, if you can't do it don't run a forum.
3. Have someone else run it... That was #1, but it means "Don't moderate away dissenting voices". You will never have a more vocal and clear line of feedback to help you improve, you might not like it... your job is to either listen and learn, or to explain why you are where you are and not going to do something, etc. People aren't dumb, "for money" is a fine argument, but don't use moderation to silence feedback you don't like.
4. Forums are great for content that ages well, know your audience... it's not only the person you're replying to, it's the 1,000 visitors who will never create an account but found this issue via a search engine.
5. Don't use moderation to silence feedback you don't like! (Also #1 and #3). Don't even use threats of "we're withdrawing support" or "unblessing"... these are your users and customers, listen to them rather than fight against them.