398
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 11 Dec 2023
398 points (96.9% liked)
Technology
58201 readers
3630 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 1 year ago
MODERATORS
Did Beeper clear its usage of the iMessage platform with Apple? Sign a contract? Get an SLA agreement with Apple in writing?
I was under the impression that they found essentially a back door/work around to latch into the iMessage platform… in that case this is no different than Cisco patching some routers or MS fixing a security hole. If anything I’d be more annoyed that Apple didn’t patch it quicker.
I’d love to be able to use iMessage with my android friends, but Beeper’s methods seemed sketchy as hell.
It was an exploit that mimicked the device as apple hardware, but it wasent sketchy. Everything was still e2ee, with beeper having no access to any data.
It was the exact opposite of what the Nothing "middleman" did that was actually sketchy.
...
Ah yes, businesses based on exploits. Very not sketchy.
It wasent a bug in software. As I understand it, they cloned an apple hardware ID.
They basically put on an "Im an apple!" mask and then used iMessage as expected. While an "exploit" it is not inherently a security issue.
Enabling interoperability in purposely walled gardens for the overall greater good of the Internet? Sounds like some good ol' hackers spirit to me. If they make a few bucks while they do it, even better.
Yall realize youre on a tiny, open source network right now that employs the same kind of scrappy "do the right thing because it's right" ethos, yeah? That at some point beeper might be a bridge to things like direct mastadon/iMessage/messenger/whatsapp/matrix compatibility?
Im rooting for them to keep it up.
I think you're conflating two different things when it comes to my comment. While I can agree in spirit, and were someone to release a FOSS version of this that did the same thing, I'd go right along with you on the whole "hacker spirit" thing (like the kid who wrote the original exploit and put it up for free on GitHub), but that's not what is happening here. This:
is not what's happening, this is Beeper just trying to make money basically selling fake ID's so you can get into the club, and the whole "uwu I'm a wittle startup don't hurt me Apple" is just marketing spin for what I have to imagine was the rather insane assumption on the part of Beeper that they thought they found something that was unpatchable, and/or that they could somehow publicly pressure Apple to not sue them out of existence for what is potentially a crime (laws against hacking usually don't give a shit about the method you use to breech a system, just whether that use is authorized which this is clearly not.) Apple has reasonable claim to financial damage as well, since Beeper is using Apple's servers/bandwidth without approval or compensation. Charitably, Beeper might be hoping that this gets the attention of regulators and they'll legislate opening it up, but that ship has sailed in the EU, and the legal argument for doing it in the states is "we don't like green bubbles" so I wouldn't hold my breath, and even then assuming there is a will in the legislature to do this, I have a hard time seeing how Beeper stays funded long enough to see that law pass.
Anyway, I am not saying this because I personally don't want to see iMessage on Android (realistically I'd like the RCS standards body to get their head out of their asses and relegate iMessage and the various Facebook messengers to irrelevance) what I am saying is that Beeper trying to pretend to be a real business is laughable. Like, this is the type of product I would expect to buy in an alternate App Store with bitcoin or something, not something I would expect a real business to release on purpose with all of the fanfare and 100k's of downloads. It's the technical equivalent of putting up a stand in front of Costco advertising that you're going to print and sell fake cards so you can get into Costco, and you're going to do that by plugging your printer setup into Costco's power to do it. oh, and then when Costco cuts off power, you run an extension cord over to a different outlet. Like, you can argue that you think Costco should do away with membership, but we all see what an insane business plan that would be, right?
edit: This is a really good article from the Verge on the whole thing, but I'm afraid it's more nuanced than "Apple BAD!" so ymmv.
Finally, some sanity. Just because it’s apple, doesn’t mean it’s okay to build a business model on piggybacking off their service. I know “apple bad” but I don’t get why people are defending Beeper.
While it's not mostly about security, and I generally agree that Apple's dickitry with regard to iMessage should end (they'd be doing a solid in the US to just release an Android client and monetize via sticker packs or something like it) there is most certainly a security risk for Apple to allow a reverse-engineering of their spec to spoof real iPhones, which is how Beeper works.:
Now, your quote and the others in this thread:
They sure as fuck did, lol. iMessage isn't public, it's not intended to be used by anyone other than Apple, and the bandwidth and servers are not free. Its not as if every iMessage isn't going through Apple's servers, they're paying for it. Though they didn't find a technical hole like a zero day or compromise iMessage for customers, they absolutely found a security concern for Apple. If you walk in to your house, find your neighbor there grabbing a couple of eggs out of the fridge and they hand wave away and say "don't worry I didn't break a window, I just figured out you keep a spare key under the mat and also I'm going to use these to make cookies for the block party and I'm not going to charge a lot for them and only you have these eggs from your chicken you're hogging them!" you'd kick them out in a hurry and probably call the cops.
So two things:
I've only heard this particular stance from iPhone users.
Apple has done a stellar job propagandizing their brand as the "Good guys... just looking out for their customer's best interests, is all".
No evidence for this take whatsoever; it's just naked, gullible brand loyalty.
Kind of an amazing phenomenon, if it weren't so sad.
I’ve got both. iOS for work, android for personal use. I’m in DevSecOps and therefore tend to see everything from this sort of mindset. Apple didn’t make a deal with them, they don’t have an open standard. It’s proprietary, it’s locked down. Why would any company with that sort of a product allow another company to interface with their offerings without paying for it? Even if it’s nice and secure, this will add load to the iMessage servers that people aren’t paying Apple for. It could introduce errors/issues they never tested for because they have a closed ecosystem and only have to test with their own devices, a known quantity. It could even increase potential attack vectors.
If you offered wifi to your friends via a guest network and then someone figured out how to connect their whole neighborhood to it, would you be fine with that?
Good points. But, and using your LAN comparison: if my wifi's guest network used some custom method (let's also consider it a proprietary method for the sake of comparison) to, A) impose an arbitrary limit of uploading files no larger than 100KB (and/or have the files heavily compressed to meet said limit) while B) offering no clear method of communication to the non-guest users why this limitation is occuring (or even exists)... I can imagine both guests and non-guests would quickly become irritated and start bickering among themselves as to whose fault this arbitrarily-imposed "local network file sharing problem" should be blamed on.
I don't think it's the guests fault for being arbitrarily limited. And I wish the non-guests could be told why the limitations are imposed.
Because no one behind a trillion dollar company should (in good faith, at least) concern themselves with restricting non-Apple, shareable files to be seen as "just slightly, technically accessible to Apple devices".
These constraints are clearly imposed on Apple users (by no one but Apple) to alienate "non-privileged, non-Apple customers" (them) from the "privileged Apple customers" (us).
And Apple's goal on "finding common ground" seems to be: do not negotiate with any proposed solutions as the division we are creating is intentional.
Exactly. And this (community reverse engineering / interoperability / bridging etc), isn't something new, it's existed ever since a messaging protocol became popular - remember Trillian, Miranda, etc? Whether proprietary or not, it didn't matter - people were going to find a way to bridge the gap sooner or later. So for Apple to think that this was somehow exclusive to just iPhone users - and that it will stay that way - is a bit shortsighted.
If profit is what they were after, they could've just as easily made an official, secure API and charged for it. I'm sure there's plenty of folks out there willing to pay for iMessage, given how many of them are buying used Mac Minis and iPhones to use as a relay. Apple's shortsightedness is making them miss out on a business opportunity.
What's the choice? Apple isn't going to license it for all the tea in China.
It's entirely different in that it was not a vulnerability or exploit of any kind and actually improved the security of Apple's users.