This is fascinating, thank you so much! I knew about image emebdding in the pixels themselves, it was slightly trendy back in the day, but I had no idea people had progressed it to animation like in the second video.

Yeah the QR standard is astoundingly resilient to noise. iirc the highest redundancy can still be read with 60% of the glyph obscured, it’s really a fascinating protocol.

While there’s plenty of merit to what you’re saying, I’m too sick to have a coherent thought beyond maybe pointing out that the main issue with legislation like this isn’t that it doesn’t specify security requirements, but that it’s forcing people who do not have infrastructure established to collect and manage sensitive info of this nature in the first place.

Discord never set out to collect this much PII, and as far as I’m aware there’s never been a breach of their payment information processing. Like you say, it’s an established thing to handle payments and is fairly routine to implement. There is no routine method of handling ID verification yet, and the solutions that exist were forced to be developed rapidly and with no standards.

The legislation is at fault for putting people in this situation - that they used Zendesk was a boneheaded move (I haven’t seen details of the breach, was that really the vector that got attacked?) and sure, they’re at some degree of fault for letting this happen. But the vast majority of the blame lies at the feet of the asinine legislation that all but explicitly mandated that this situation arise.

Well, yeah. Discord isn’t exactly at fault here, they’re operating as best they can within the boundaries of a piece of legislation that could be best described as gods gift to the “I-told-you-so” crowd. This breach is exactly what everyone was warning would happen with the UK ID laws, and discord got stung first as they’re one of the few companies trying to adhere to the law in good faith (which, yes, why in hell they’re trying to do this is good faith is a very good question)

You might be confusing it with how several states have attempted to implement identity verification for access to porn sites (which has so far avoided a similar scandal to this one by virtue of rampant, contemptuous noncompliance on the part of the porn sites)

Just the UK, as far as I’m able to find. Some US users have to verify by clicking the box, but I do not believe they’ve been en-masse required to upload ID or use the UK’s facial recognition nonsense.

From the discord age verification FAQ:

The age verification features described in this article are fully available only to users in the United Kingdom and apply to all new and existing UK accounts.

Hey, it can really spice things up in the bedroom. Just saying.

Doesn’t make their comment make any more sense, but…

Excellent

Ew

I tried so hard to get it to work, but the hardware I’m using only supports ASCII characters for SSID fields and I just couldn’t finagle it around.

Weirdly I’m not actually complaining about them doing due diligence in this case. Aside from all the shit he did to me (well mainly my partner) personally, the dude was selling bathroom footage of the children who stayed there, and there was a fair number of local accomplices in the whole human trafficking & child pornography thing. It took them about four hours to realize what was going on with me and we all had a genuinely good laugh about it, and that vile POS and several of his friends are rotting under the prison as a result of them being thorough.

Rare law enforcement win, though I stress that this is very much an exception to the norm around here.

Got into a petty pissing match with a sexist POS neighbor who was running a really sketchy (and locally illegal) AirBNB - as a joke I had a couple ESPs broadcasting SSIDs like “[their_address] Bedroom Camera” and “[their_address] Bathroom Camera” that I stuck on the wall nearest their house.

… Turned out to be a huge mistake. They’d actually set up several perv cams inside the house, which was discovered during the incidental investigation into all the human trafficking they were doing, something I found out about when the police showed up and arrested me for suspicion of being involved. Thankfully I was able to convince them I’m just some complete idiot that likes to think they’re funny, but jeeze.

Funny in the retelling, though.

RCMP Surveillance Moose #1812 here

since apps do have much greater access to the parent device then a website

I’m not disagreeing at all that this should have had a website as a backup, but you yourself are making some really good points about how apps aren’t the same thing as websites and the benefits to using an app in this situation. Leveraging user hardware without the intermediate layer of a brower’s sandbox is good for performance and makes a site much more robust in the face of things like DDOS, and having locally-hosted resources with which the user can interact without requiring an active TCP connection (because for example: ICE has geoblocked connectivity at one of their “enforcement actions” - but you can still document what’s happening and the app will automatically-and-without-user-interaction upload what you’ve given it once connectivity is restored) is an incredibly important feature.

Offline websites, while potentially able to exhibit similar behavior, rely on extremely hacky workarounds and cached data to be able to do it - and an app is a much less volatile way to store that data than relying on your browser’s cache reintegration (which will often be dumped if you’re hit with bad a DHCP config).

I think your spirit is in the right place, but you’re missing enough of the technical nuance that it’s really undermining your ability to convincingly make your point. And again, I 100% agree that not having alternative access to this service is a critical loss.

That’s how everything (edit: that doesn’t benefit from locally hosted resources, which have exceptions for things like gaming where rapid data access is more important than structural niceties) works, its a design paradigm called MVVM. Host the database, shift processing to the user’s hardware (excepting hardware dependent tasks like LLMs or other compute heavy tasks). Websites, apps, even firmware – essentially anything that makes an API call in some way uses this basic structure. Even entirely local applications do it this way (albeit internally).

While those exist, those wouldn’t have been affected by this breach (or if they were it was only incidentally) - those communities are not using Discord’s age verification but are doing it through DMs (or a 3rd party service). Discord communities do not have access to age or ID verification tools, nor do they have the ability to impose restrictions based off age or ID verification (yet, there is rumored to be an age-verification access restriction beta going out, but it apparently doesnt use ID)

Wait, where are you seeing a difference between that and how an app functions? Right now it feels like you’re abstracting a bit too far in order to make a point, but I’m (genuinely) deeply curious what you mean.

And websites are just little programs you can download at will, so who cares about them?

Dynamic SQL in of itself not an issue, but the consequences (exacerbated by SQL’s inherent irrecoverability from mistakes - hope you have backups) have stigmatized its use heavily. With an understanding of good practice, a proper development environment and a close eye on the junior devs, there’s no inherent issue to using it.

There’s some real perks to using AI to code - it helps a ton with templatable or repetitive code, and setting up tedious tasks. I hate doing that stuff by hand so being able to pass it off to copilot is great. But we already had tools that gave us 90% of the functionality copilot adds there, so it’s not super novel, and I’ve never had it handle anything properly complicated at all successfully (asking GPT-5 to do your dynamic SQL calls is inviting disaster, for example. Requires hours of reworking just to get close.)

It’s only common on color laser printers.