Scala compiler engineer for embedded HDLs by profession.
I also trickjump in Quake III Arena as a hobby.
The Ars article literally analyzes this exact claim and shows that it was over-exaggerated marketing to mislead advertisers, and when they were called out for their bullshit CMG pulled their crap from the Internet — you even link to an archive.org page, which corroborates what happened.
Selectively ignoring contradictory evidence in favor of evidence that supports your argument is cherry-picking.
“80-90% of your classmates [are being filtered out of your life]”
Citation needed.
Meh, it all sounds unsustainable in the end IMO. I mean, OG Beeper Mini was built on piggybacking off of a set of Mac Mini serial numbers, and Apple already plugged that hole.
Even then, internalized testing of an exploit and what actions a company would tolerate from abusing that exploit is very different from what that same company would tolerate once the exploit becomes publicly available. This is coming from personal experience — back in my “seedier” days I’d fuck around with random public APIs for the fun of it to see what I can do, and with my own “internal testing” I found I could get away with a lot. Once I shared that knowledge with others, I found that companies are far more willing to crack down on abuses of their API than my “internal testing” suggested otherwise.
I fully expect that Apple will probably revise the “10-20 accounts per Mac” fact once this fix actually starts to kick off.
That makes sense to me, though personally if I had to buy Mac hardware to enable the bridge I’d be inclined to go all-in with a self-rolled solution anyways, and fully route everything through the Mac. I just can’t bring myself to trust a company like Beeper after their pypush stunt.
The intersection of users who simultaneously use Android/Linux/Windows/Mac/iPhone (I’m part of the latter four) is small to begin with, and then additionally requiring the purchase of a Mac to even enable bridging capability pretty much excludes this to tech enthusiasts interested in bridging their iPhone/Mac with their other devices. Or in other words, it can’t really be advertised as Beeper “Mini” anymore…
So, essentially, it’s just a shitty company-operated clone of BlueBubbles now? What does Beeper offer now that a BlueBubbles solution doesn’t?
For example, it’s possible to self host and proxy BlueBubbles through an Nginx server on a VPS, which, when combined with connectivity to a Mac through local network/VPN handwavium, and proper security/authentication, allows you to securely access your iMessages on a public Internet domain through a web browser. Why should I trust some company’s band-aided implementation of that over rolling my own community-backed solution, especially if that company’s business model revolved around charging for exploitative access to a closed, proprietary protocol?
That’s a fair stance to have. I agree that the general trend of privacy violations across all industries is concerning, and it’s reasonable to extrapolate that it’s going to get worse. At the same time, it’s important to gauge what is presently possible in order for these extrapolations to be reasonable, so we can appropriately prepare for what these advertising corporations would do next.
For example, I think it’s very likely that the government and megacorporations will collude further to harvest as much personal data and metadata in the name of “national security” — see the revelation that the government gag-ordered Google and Apple to keep hush about the harvesting of metadata from push notifications. I don’t think, even with the advancements in AI, that we will have smart speaker and phone companies deploying a dystopian, horrifying solution of mass surveillance to a scale that would make even the CCP blush. Maybe it would be possible within the next 50 years, but not now with how expensive AI software/hardware is right now, and especially not in the past.
In principle, I do agree that riling up people through outrageous claims of privacy violations is a good thing purely to spread the message, but I think the strongest weapon we have for actual change is legal precedent. We need a court to strictly and firmly tell these companies, and companies in the future, and government agencies looking to infringe upon our rights, that harvesting the private, sensitive information of its users without consent is objectively wrong. A court case where the factual basis of the situation is dubious at best (for example, the context of this whole “marketing company is listening to you” claim is confusing and questionable) isn’t going to help us here, because these companies with handsomely-paid lawyers are just going to say “well, that’s not what the situation factually is, it’s <thing that is technically true but we’re saying this to specifically twist things so that the judge/jury believes us instead>.”
I never insinuated that my personal opinion was at all representative of Steam users as a whole. My point still stands that she probably should have asked a large body of Steam users to gauge their needs for the platform, so that she can incorporate their feedback into her redesign.
I mean, we can’t entirely discredit her effort. With her given design criteria for what is a “good user interface,” she nailed it out of the park. I would personally be inclined to use that UI if Steam went in that direction.
However, designing for her specific design criteria is also the problem here. One of the golden, and frankly most obvious, rules of UX design is to design for users. You’re exactly right that she didn’t design for the needs of Steam users, but instead designed for her preconceived notion of what a user interface should look like. This would likely have turned out far better if she conducted research beforehand to see what Steam users actually want.
“Our privacy is disappearing” is a valid concern.
“Megacorporations are conspiring to harvest advertising data from millions of consumers through the continuous, unadulterated processing of recorded audio, recorded without their consent” is, well, a conspiracy.
There is no physical and empirical evidence that suggests this. I’ve asked multiple times in this post for direct empirical evidence of advertising companies hijacking consumer devices to record you without your consent, explaining why it should be easy and trivial to detect if it were the case. All I’ve gotten so far was moving the goalposts, fear mongering about late-stage capitalism, pre-emptive special pleading, “well the government said it was happening with some other tech (even though we’re not supposed to trust the government)” and anecdotes.
I’ve challenged the objectivity of the anecdotes presented to me, because “my wife and I talked about buying electric blinds in the car and suddenly we got ads for electric blinds” is not scientific. Because I’m interested in the core, objective truth of the situation, not someone’s over-aggrandized and biased interpretation of it.
This is the second time someone has called me “naive.” Critical thinking is not naive: it forms the literal cornerstone of our modern society. To imply otherwise is the same type of dismissive thinking used to perpetuate these conspiracies — from companies listening to your every word, to crystals healing you, to doctors scamming you via cancer treatments.
You are right that there is concern for privacy. When it reaches the point of living in abject anxiety and fear of every electronic device you will ever own in the future because of an irrational and frankly schizotypal belief that they’re all listening to you… that’s simply not healthy for the mind. That is wariness brought to an illogical extreme.
I got over that fear so long ago when I sat down and actually thought about the practicality of the whole thing, and I’m glad that I have a healthier state of mind because of it. Meanwhile, this thinking continues to prevail in the privacy “community” and be parroted by major figureheads and “leaders.”
What this community needs is actual accountability to thoroughly scrutinize and dismantle bullshit beliefs, not fostering even more paranoia. That’s the line I draw.
Why?
Hitchens’s razor, for one. Something sounding plausible just because late stage capitalism is an ever-growing cancerous beast doesn’t mean anything for veracity and objective truth.
It’s very much the same as the idea that crystals can heal you and cure you of cancer, psychics exist and exhibit quantum telepathy, and doctors are lying to you to scam you of your hard earned money and you should instead use Vitamin C to cure COVID-19. Does that all sound stupid to you? If it does, just know your same arguments are being used to persuade other less fortunate folks into buying crystals, tarot cards, and Vitamin C pills in the hopes of improving their lives.
All of these things are sold to these people under the pretense that capitalism is lying to you, governments are lying to you, big pharma is lying to you, and they’re all colluding to steal your identity, personal information, and scam you of your money.
The ability to reason using empirical evidence, and not what makes us feel good or bad inside, is what allows our society to even function in the first place.
I couldn’t find a non-tabloid source or a direct link to an Apple statement in the moment, but that doesn’t mean they’re not going to do it. It’s already been reported by the media as “stated-by-Apple”, and if that’s not the case I’m sure Apple will gladly rectify things themselves.
Various Apple statements on the matter, I’ll link to the r/UniversalProfile post celebrating it. (As it turns out, the post did not actually say anything about E2EE. It’s a statement that’s been shared on several different tabloids though.)
It’s the most logical approach to achieve interoperability because, while Google RCS already supports E2EE, it is pretty much the antipode of interoperability: only Google and Samsung are allowed true access to gRCS’s APIs. Apple being additionally granted access would effectively establish a messaging duopoly, as there would be no reason to use anything other than Google Messages and iMessage. There’s a reason why these APIs don’t exist in the AOSP.
I don’t understand why they continue to do this? Apple’s already working on adding E2EE to the RCS Universal Profile and implementing it into iMessage, so the need for a “blue bubble” in Android is going to become moot.
I get the whole thing about interoperability, but when your app’s business model revolves around charging people money to access a glorified exploit (Apple themselves stated this was the case, but you can easily verify this by looking at the source code of Beeper’s own PoC), to then follow up with more hacks and workarounds that will inevitably get patched, the sustainability of such an operation becomes dubious.
The “security hole” was that this app pretended to be a M1 MacBook Pro with a validation payload generated using a simulated old x86 macOS library. This particular edge case somehow tricked Apple’s servers into thinking that it was a real MacBook Pro it was talking to, and it proceeded to happily generate the encryption keys needed to create iMessage traffic. From there it was a thorough reverse engineering of the iMessage API.
By all intents and purposes, the app was developed using a high profile exploit. The Python POC it was “based” (purchased) off of is still out there for everyone to see.
That’s not to mention it was discovered by a hobbyist high-schooler. Complaints of monopolistic anti-competitiveness aside, you have to admit that’s cool.
I detailed it in a previous comment of mine, but it spoofs an identity request by pretending to be an early M1 MacBook whilst providing fake validation data from an old Intel-era macOS library. Apple servers then believed it was a real MacBook and handed over all encryption keys needed to establish E2EE communication over iMessage.
Hack or not a hack, it most definitely is a weird edge case scenario (the specific combination of new MacBook model with old validation data) which is probably why it all worked to begin with.
I honestly have to hand it to the kid who discovered this in the first place.
Man’s still in high school, yet managed to find a high profile iMessage exploit while doing something he clearly enjoyed doing, knew the full value of what he’s discovered, sold it off to a company he likely surmised was frothing at the mouth for technology like this, and walked away with a huge wad of cash at the end of the day. He’s easily going places.
A public statement about this being for security can’t possibly be more dumb than Beeper purchasing an open source cross-platform iMessage proof of concept which specifically spoofs old, fake Apple devices, publicizing and commercializing it with a monthly subscription, and crying foul when Apple swiftly finds that same repository on GitHub and patches the method.
You know, that sounds exactly like what closing a security vulnerability would entail.
It looks like you’re correct: the Python POC apparently simulates some kind of Apple library with a virtual x86 core to generate validation data for device registration, and spoofs the request to Apple’s servers by pretending to be a MacBook Pro 18,3 running macOS 13.2.1.
So not only is it unsurprising that Apple patched this early, they also probably did it in the easiest way possible of blocking the combination of this particular MacBook device and whatever validation payload was being generated.
Why a company would purchase the rights to an open sourced iMessage POC, commercialize it with a subscription and then go “surprised pikachu face” when Apple finds the exploit and blocks it… that’s entirely beyond me. Original dude must’ve made a fat paycheck though.
That’s Beeper Cloud you’re describing. Beeper Mini reverse engineered the iMessage stack to create a gateway between Google Cloud Messaging (GCM) and Apple’s servers. The Android devices were natively initiating and sending iMessage traffic on-device, not through an intermediate Mac server.
Issues of reverse engineering a proprietary service aside, they were also charging an (arguably, exorbitant) fee for their solution. Its early demise was pretty much guaranteed from the start.
This has absolutely no relevance to the UX of Apple software (which is the topic of this post), but everything to do with the fact that you’re trolling in a community of Apple users.
It’s also ironic how you’re willing to point out trolling, then exhibit that behavior yourself. Practice what you preach.