How? It’s not a MitM or anything like that, it’s connecting exactly how an Apple device would connect. Everything is still E2EE, just one of the ends can now be an Android device.
That’s not how beeper worked. It actually connected from the device directly to the iMessage network. You’re thinking of all the other services that required a virtualized OSX install somewhere to act as a translation layer.
The beeper application is not trusted by anyone except Beeper. As an Apple user, I trust Apple by buying their devices and participating in their services. I have no trust relationship with Beeper whatsoever. They have the the ability to decrypt my messages unbeknownst to me, and do whatever they want with them. Maybe they’ll display them to users nicely in the app. Maybe they’ll do something nefarious with them.
Having user activity flow into 3rd parties is a major security problem. Maybe you don’t see it, but it’s real and it’s there. We’re still trying to clean up the adtech mess on the web after how many years?
That’s an inane argument. Your message always gets decrypted at its end point. Beeper wasn’t doing MiTM attacks. They weren’t hijacking messages. They functioned and behaved as a legitimate end point. If you don’t want a non Apple pleb getting your messages, you simply don’t send them one. Which is basically what your complaint boils down to.
While I agree Apple should have some control over their network. Which they clearly don’t in any way that matters. The controll they’re exerting shouldn’t be allowed. As long as beeper were behaving, which they were. They should be allowed. That you feel security is defined by being handed by a company inept at security in this case, that’s your problem. Secure messages are sent and received from all manner of platforms regularly without issue. No Apple required
Ok, I’m sorry but this comment and this thread is just all over the place.
Beeper wasn’t doing MiTM attacks. They weren’t hijacking messages.
That we know of. Oh, and they’re literally a man in the middle, someone the user shouldn’t expect is in between the data they’re sending. okay, I’ll give you the middle is squishy here because it’s really when it’s decrypted on the client, but still…
They functioned and behaved as a legitimate end point.
Which, they weren’t. They were spoofing credentials and accessing a system without authorization from the system owner. It doesn’t matter if Apple left a hole in the system. Hell, they could have set the password to be ‘12345’ it’s still probably a crime, at least, based on this list of crimes:
having knowingly accessed a computer without authorization or exceeding authorized access
The whole thing basically reiterates over and over that just because you technically have access, that doesn’t mean you are permitted.
While I agree Apple should have some control over their network.
Okay, makes sense.
Which they clearly don’t in any way that matters.
How many iMessage breaches has Apple had?
The controll they’re exerting shouldn’t be allowed.
The “control” is discovering that someone else made a copy of the key to their locks. If i told you that I now have a copy of the key to your house (but trust me bro I’m only going to use it like you would which means using your shit and and selling your food to others) oh and that now basically anyone has a copy to the key to your house, would you change the locks?
As long as beeper were behaving, which they were.
Which they were?! They literally are using fake credentials, accessing a system without authorization, using the infrastructure including the real costs of said infrastructure.
Secure messages are sent and received from all manner of platforms regularly without issue. No Apple required
Welp, you’ve just provided the closing arguments for Apple’s lawyers and any sort of monopoly concern.
The argument of security is bunk, Apple are integrating the more widely used RCS protocol into iMessage. It’ll mean they won’t need their own bespoke protocol either. Besides Apple is known for calling stuff security changes when really they rely on obscurity to not notice how insecure components are such as the method iMessage uses to authenticate now.
When done other apps for messaging will explode in commonality and blow the case open. They just need to finish implementing it.
And if you read the Beeper devs blog, you’d understand how much you misunderstand about the security and encryption implications. If anying, it increases message security by moving messaging from SMS to encrypted iMessage.
https://jjtech.dev/reverse-engineering/imessage-explained/
He invited Apple to have a third party assess his work. So far Apple hasn’t responded.
I have no issue with Apple blocking Beeper, it’s their system. It’s interesting to watch, but the DOJ has no reason to get involved here, it hasn’t even been made a legal issue yet.
If Apple feels it’s a legal issue, they could start legal proceedings. My question is why they haven’t.
Thanks for the links! I enjoyed reading about how iMessage is built on top of APN. That probably explains why I can reply to messages in arbitrary apps on my Apple Watch. :-)
However, that doesn’t change my argument. Beeper is not a trusted party in this exchange. When they show my messages to their users, they are decrypting my messages and user activity in a way that is outside my zone of trust. They can then be nice and show it to their users in their app, or they can be nefarious and send that data to any other 3rd party for whatever purposes they want.
This is a major security hole at the application layer, despite the network layer security that you’ve linked to.
One of the parties has to trust the endpoint. People can screenshot or forward you messages to other people unbeknownst to you, but you have to trust the other person not to do so, how is that any different from trusting another person that they choose a safe app?
So is having unencrypted messages with all non-iOS devices with no real solution in sight. Security is obviously not their concern here, it’s vendor lock in.
Businesses are naturally anticompetitive. It may or may not violate antitrust law. The two main categories are collusion with competitors to prevent new competition, or if they seek to gain or maintain a monopoly via shady methods (just a monopoly itself isn’t illegal though). I doubt if Apple conspired with Google here and it would be a stretch to say they have a monopoly, so it seems like a pointless case to me.
Ah, common misconception - hacking an API != creating a compatible program. ( reverse engineering)
Imagine a drill company has a special shape for its bits.
Our law allows someone else to either… make bits that can fit in that shape
OR make their own drill that can accept those bits.
“BUT they copied!” - it doesn’t have to be a copy to be compatible, and they don’t even have to use the ‘special shape’ just be able to work with the special shape. The law does not allow for protections around that. Doing so would be by definition anti-competitive. Our anti competition laws or rather our IP protection laws are not intended in any way to ‘ensure a monopoly’. The IP laws give a person a right to either keep something they do secret OR share that knowledge with the world so we all benefit, in exchange for a very limited monopoly.
Practically speaking, If I got the KFC Colonel to give me the list of 11 herbs and spices in a Poker game, and then started making my own delicious poultry that is totally cool. Likewise, If I figured out that all that was inside a Threadripper was blue smoke and started making my own blue smoke chips, the law is ok with that.
In this case roughly, Having a public facing endpoint. And then saying that the public can access that endpoint is cool
Saying that only the public using the code I alone gave them – well… that’s not been litigated a lot, but all signs point to no.
It’s like Bing saying its for Safari only, and suing people who accessed it using Chrome. It is a logical claim, but the law does not provide that kind of protection/enforcement.
tl;dr these concepts are old but being newly applied to fancy technology. The laws in place are clear in most cases. A car maker can not dictate what you put in the tank. FedEX and UPS can’t charge you differently for shipping fiction books or medical journals or self published stories. And they’d probably get anti-trust scrutiny they even told you what brand/style of boxes you had to use.
That counts as unauthorized access in the eyes of the law. It’s a private system and they did not have any agreements permitting them to use it as they wanted.
Quite literally the text of the Computer Fraud and Abuse act. Unauthorized access of computer systems can get you 20-years at club fed. Seems like some of these people need a history lesson.
I don’t know laws in the US but my limited understanding in the case of Beeper is that its users are the ones that grant themselves unauthorized access to the Apple servers. Beeper is a tool that packages pypush to accomplish it. So Apple should sue all the Beeper users?
As an example, there are tons of tools to exploit vulnerable systems in Linux. Metasploit is a penetration testing software and can execute exploits on old unpatched systems. I don’t think anyone is suing Metasploit developers for Computer Fraud and Abuse aCt. The users who use it are responsible for the access of unauthorized services and broken ToS.
If Apple thinks Beeper users are exploiting its servers, they should patch them (which they did).
Beeper did try to monetize it, so i’m not sure how it fairs but Beeper is not forcing anyone to gain unauthorized access. Beeper even welcomed Apple to audit Beeper mini code.
And I’m sure Beeper has a legal team that analyzed these scenarios better than anyone of us. And Apple has sued companies for less. They’d have done it the moment the app landed on appstore. They could have crushed it before gaining any attention.
Again, I have no idea how legal it is. I have both Apple and android devices and never use iMessage. But you gotta hand it to Beeper devs. That’s some old school hacker shit and I’m here for it.
These are separate issues and it’s a very complex set of issues. Reverse engineering is generally “okay” as long as you aren’t directly copying code, because you’ll run afoul of copyright laws. That doesn’t grant them the rights to access anyone else’s computer systems without authorization.
Tools that can be used maliciously are generally allowed because they have legitimate uses, using them to gain access or otherwise harm a computer system or network without authorization is criminal. You keep mentioning “suing” but this is not a civil issue, violating the CFAA is a crime.
Aaron Swartz got supremely fucked for writing a script that downloaded files he legally could access but technically was unauthorized because he accessed them in a way the corporation didn’t like.
I don’t think you see the difference, Aaron was downloading the data off of MIT servers himself, he was not facing charges for writing the scripts.
From your link:
The Justice Department’s press release announcing Aaron’s indictment suggests the true motivation for pursuing the case was that Aaron downloaded academic literature from JSTOR and planned to make it available to the public for free as a political statement about access to knowledge.
.
Tools that can be used maliciously are generally allowed because they have legitimate uses, using them to gain access or otherwise harm a computer system or network without authorization is criminal.
As I said before, Beeper users are gaining unauthorized access, not Beeper. It is E2EE, they’re not the middleman.
Genuinely curious, what’s the law against reverse engineering an API? I can maybe see the argument for charging for the service, but beeper mini is planning to integrate other services as well so I don’t know if that’ll really hold water.
They didn’t, someone made an App to interface with it. Trying to shut that down is anti-competitive.
It’s also a huge security hole
How? It’s not a MitM or anything like that, it’s connecting exactly how an Apple device would connect. Everything is still E2EE, just one of the ends can now be an Android device.
A non-trusted 3rd party that has the capability to decrypt messages? It’s a big problem.
That’s not how beeper worked. It actually connected from the device directly to the iMessage network. You’re thinking of all the other services that required a virtualized OSX install somewhere to act as a translation layer.
The beeper application is not trusted by anyone except Beeper. As an Apple user, I trust Apple by buying their devices and participating in their services. I have no trust relationship with Beeper whatsoever. They have the the ability to decrypt my messages unbeknownst to me, and do whatever they want with them. Maybe they’ll display them to users nicely in the app. Maybe they’ll do something nefarious with them.
Having user activity flow into 3rd parties is a major security problem. Maybe you don’t see it, but it’s real and it’s there. We’re still trying to clean up the adtech mess on the web after how many years?
That’s an inane argument. Your message always gets decrypted at its end point. Beeper wasn’t doing MiTM attacks. They weren’t hijacking messages. They functioned and behaved as a legitimate end point. If you don’t want a non Apple pleb getting your messages, you simply don’t send them one. Which is basically what your complaint boils down to.
While I agree Apple should have some control over their network. Which they clearly don’t in any way that matters. The controll they’re exerting shouldn’t be allowed. As long as beeper were behaving, which they were. They should be allowed. That you feel security is defined by being handed by a company inept at security in this case, that’s your problem. Secure messages are sent and received from all manner of platforms regularly without issue. No Apple required
Ok, I’m sorry but this comment and this thread is just all over the place.
That we know of. Oh, and they’re literally a man in the middle, someone the user shouldn’t expect is in between the data they’re sending. okay, I’ll give you the middle is squishy here because it’s really when it’s decrypted on the client, but still…
Which, they weren’t. They were spoofing credentials and accessing a system without authorization from the system owner. It doesn’t matter if Apple left a hole in the system. Hell, they could have set the password to be ‘12345’ it’s still probably a crime, at least, based on this list of crimes:
The whole thing basically reiterates over and over that just because you technically have access, that doesn’t mean you are permitted.
Okay, makes sense.
How many iMessage breaches has Apple had?
The “control” is discovering that someone else made a copy of the key to their locks. If i told you that I now have a copy of the key to your house (but trust me bro I’m only going to use it like you would which means using your shit and and selling your food to others) oh and that now basically anyone has a copy to the key to your house, would you change the locks?
Which they were?! They literally are using fake credentials, accessing a system without authorization, using the infrastructure including the real costs of said infrastructure.
Welp, you’ve just provided the closing arguments for Apple’s lawyers and any sort of monopoly concern.
The argument of security is bunk, Apple are integrating the more widely used RCS protocol into iMessage. It’ll mean they won’t need their own bespoke protocol either. Besides Apple is known for calling stuff security changes when really they rely on obscurity to not notice how insecure components are such as the method iMessage uses to authenticate now.
When done other apps for messaging will explode in commonality and blow the case open. They just need to finish implementing it.
https://www.engadget.com/what-is-rcs-and-how-is-it-different-from-sms-and-imessage-202334057.html
Funny, you trust apple yet iMessage has major flaws that were written about years ago, that Apple has never addressed. https://news.ycombinator.com/item?id=38537444
And if you read the Beeper devs blog, you’d understand how much you misunderstand about the security and encryption implications. If anying, it increases message security by moving messaging from SMS to encrypted iMessage. https://jjtech.dev/reverse-engineering/imessage-explained/
He invited Apple to have a third party assess his work. So far Apple hasn’t responded.
I have no issue with Apple blocking Beeper, it’s their system. It’s interesting to watch, but the DOJ has no reason to get involved here, it hasn’t even been made a legal issue yet.
If Apple feels it’s a legal issue, they could start legal proceedings. My question is why they haven’t.
Thanks for the links! I enjoyed reading about how iMessage is built on top of APN. That probably explains why I can reply to messages in arbitrary apps on my Apple Watch. :-)
However, that doesn’t change my argument. Beeper is not a trusted party in this exchange. When they show my messages to their users, they are decrypting my messages and user activity in a way that is outside my zone of trust. They can then be nice and show it to their users in their app, or they can be nefarious and send that data to any other 3rd party for whatever purposes they want.
This is a major security hole at the application layer, despite the network layer security that you’ve linked to.
One of the parties has to trust the endpoint. People can screenshot or forward you messages to other people unbeknownst to you, but you have to trust the other person not to do so, how is that any different from trusting another person that they choose a safe app?
Guess what happens when you do anything outside the Apple ecosystem. Guess what’s happening right now on Lemmy.
You’re logic would mean never actually using your device.
So is having unencrypted messages with all non-iOS devices with no real solution in sight. Security is obviously not their concern here, it’s vendor lock in.
Businesses are naturally anticompetitive. It may or may not violate antitrust law. The two main categories are collusion with competitors to prevent new competition, or if they seek to gain or maintain a monopoly via shady methods (just a monopoly itself isn’t illegal though). I doubt if Apple conspired with Google here and it would be a stretch to say they have a monopoly, so it seems like a pointless case to me.
It’s not a public API. Hacking someone’s private API is already against law - charging $$ for it moreso.
Reverse engineering an API is not illegal
Ah, common misconception - hacking an API != creating a compatible program. ( reverse engineering)
Imagine a drill company has a special shape for its bits. Our law allows someone else to either… make bits that can fit in that shape OR make their own drill that can accept those bits.
“BUT they copied!” - it doesn’t have to be a copy to be compatible, and they don’t even have to use the ‘special shape’ just be able to work with the special shape. The law does not allow for protections around that. Doing so would be by definition anti-competitive. Our anti competition laws or rather our IP protection laws are not intended in any way to ‘ensure a monopoly’. The IP laws give a person a right to either keep something they do secret OR share that knowledge with the world so we all benefit, in exchange for a very limited monopoly.
Practically speaking, If I got the KFC Colonel to give me the list of 11 herbs and spices in a Poker game, and then started making my own delicious poultry that is totally cool. Likewise, If I figured out that all that was inside a Threadripper was blue smoke and started making my own blue smoke chips, the law is ok with that.
In this case roughly, Having a public facing endpoint. And then saying that the public can access that endpoint is cool Saying that only the public using the code I alone gave them – well… that’s not been litigated a lot, but all signs point to no.
It’s like Bing saying its for Safari only, and suing people who accessed it using Chrome. It is a logical claim, but the law does not provide that kind of protection/enforcement.
tl;dr these concepts are old but being newly applied to fancy technology. The laws in place are clear in most cases. A car maker can not dictate what you put in the tank. FedEX and UPS can’t charge you differently for shipping fiction books or medical journals or self published stories. And they’d probably get anti-trust scrutiny they even told you what brand/style of boxes you had to use.
They didn’t hack it, they spoofed a device, they just tricked the systems around the api
That counts as unauthorized access in the eyes of the law. It’s a private system and they did not have any agreements permitting them to use it as they wanted.
Quite literally the text of the Computer Fraud and Abuse act. Unauthorized access of computer systems can get you 20-years at club fed. Seems like some of these people need a history lesson.
Apple reverse-engineered Office to release iWork. So Apple isn’t new to reverse-engineering others proprietary shit when it benefits them. something, something, history lesson, hmm…
I don’t know laws in the US but my limited understanding in the case of Beeper is that its users are the ones that grant themselves unauthorized access to the Apple servers. Beeper is a tool that packages pypush to accomplish it. So Apple should sue all the Beeper users?
As an example, there are tons of tools to exploit vulnerable systems in Linux. Metasploit is a penetration testing software and can execute exploits on old unpatched systems. I don’t think anyone is suing Metasploit developers for Computer Fraud and Abuse aCt. The users who use it are responsible for the access of unauthorized services and broken ToS.
If Apple thinks Beeper users are exploiting its servers, they should patch them (which they did).
Beeper did try to monetize it, so i’m not sure how it fairs but Beeper is not forcing anyone to gain unauthorized access. Beeper even welcomed Apple to audit Beeper mini code.
And I’m sure Beeper has a legal team that analyzed these scenarios better than anyone of us. And Apple has sued companies for less. They’d have done it the moment the app landed on appstore. They could have crushed it before gaining any attention.
Again, I have no idea how legal it is. I have both Apple and android devices and never use iMessage. But you gotta hand it to Beeper devs. That’s some old school hacker shit and I’m here for it.
I guess we’ll have to wait and see.
These are separate issues and it’s a very complex set of issues. Reverse engineering is generally “okay” as long as you aren’t directly copying code, because you’ll run afoul of copyright laws. That doesn’t grant them the rights to access anyone else’s computer systems without authorization.
Tools that can be used maliciously are generally allowed because they have legitimate uses, using them to gain access or otherwise harm a computer system or network without authorization is criminal. You keep mentioning “suing” but this is not a civil issue, violating the CFAA is a crime.
Aaron Swartz got supremely fucked for writing a script that downloaded files he legally could access but technically was unauthorized because he accessed them in a way the corporation didn’t like.
I don’t think you see the difference, Aaron was downloading the data off of MIT servers himself, he was not facing charges for writing the scripts.
From your link:
.
As I said before, Beeper users are gaining unauthorized access, not Beeper. It is E2EE, they’re not the middleman.
What this guy said https://lemmy.world/comment/6119756
Genuinely curious, what’s the law against reverse engineering an API? I can maybe see the argument for charging for the service, but beeper mini is planning to integrate other services as well so I don’t know if that’ll really hold water.