US senators have urged the DOJ to probe Apple’s alleged anti-competitive conduct against Beeper.

  • LinuxSBC@lemm.ee
    link
    fedilink
    English
    arrow-up
    29
    arrow-down
    3
    ·
    11 months ago

    How? It’s not a MitM or anything like that, it’s connecting exactly how an Apple device would connect. Everything is still E2EE, just one of the ends can now be an Android device.

    • btmoo@lemmy.world
      link
      fedilink
      English
      arrow-up
      17
      arrow-down
      22
      ·
      11 months ago

      A non-trusted 3rd party that has the capability to decrypt messages? It’s a big problem.

      • Eldritch@lemmy.world
        link
        fedilink
        English
        arrow-up
        27
        arrow-down
        3
        ·
        11 months ago

        That’s not how beeper worked. It actually connected from the device directly to the iMessage network. You’re thinking of all the other services that required a virtualized OSX install somewhere to act as a translation layer.

        • btmoo@lemmy.world
          link
          fedilink
          English
          arrow-up
          15
          arrow-down
          37
          ·
          11 months ago

          The beeper application is not trusted by anyone except Beeper. As an Apple user, I trust Apple by buying their devices and participating in their services. I have no trust relationship with Beeper whatsoever. They have the the ability to decrypt my messages unbeknownst to me, and do whatever they want with them. Maybe they’ll display them to users nicely in the app. Maybe they’ll do something nefarious with them.

          Having user activity flow into 3rd parties is a major security problem. Maybe you don’t see it, but it’s real and it’s there. We’re still trying to clean up the adtech mess on the web after how many years?

          • Eldritch@lemmy.world
            link
            fedilink
            English
            arrow-up
            28
            arrow-down
            3
            ·
            11 months ago

            That’s an inane argument. Your message always gets decrypted at its end point. Beeper wasn’t doing MiTM attacks. They weren’t hijacking messages. They functioned and behaved as a legitimate end point. If you don’t want a non Apple pleb getting your messages, you simply don’t send them one. Which is basically what your complaint boils down to.

            While I agree Apple should have some control over their network. Which they clearly don’t in any way that matters. The controll they’re exerting shouldn’t be allowed. As long as beeper were behaving, which they were. They should be allowed. That you feel security is defined by being handed by a company inept at security in this case, that’s your problem. Secure messages are sent and received from all manner of platforms regularly without issue. No Apple required

            • whofearsthenight@lemm.ee
              link
              fedilink
              English
              arrow-up
              4
              arrow-down
              4
              ·
              11 months ago

              Ok, I’m sorry but this comment and this thread is just all over the place.

              Beeper wasn’t doing MiTM attacks. They weren’t hijacking messages.

              That we know of. Oh, and they’re literally a man in the middle, someone the user shouldn’t expect is in between the data they’re sending. okay, I’ll give you the middle is squishy here because it’s really when it’s decrypted on the client, but still…

              They functioned and behaved as a legitimate end point.

              Which, they weren’t. They were spoofing credentials and accessing a system without authorization from the system owner. It doesn’t matter if Apple left a hole in the system. Hell, they could have set the password to be ‘12345’ it’s still probably a crime, at least, based on this list of crimes:

              having knowingly accessed a computer without authorization or exceeding authorized access

              The whole thing basically reiterates over and over that just because you technically have access, that doesn’t mean you are permitted.

              While I agree Apple should have some control over their network.

              Okay, makes sense.

              Which they clearly don’t in any way that matters.

              How many iMessage breaches has Apple had?

              The controll they’re exerting shouldn’t be allowed.

              The “control” is discovering that someone else made a copy of the key to their locks. If i told you that I now have a copy of the key to your house (but trust me bro I’m only going to use it like you would which means using your shit and and selling your food to others) oh and that now basically anyone has a copy to the key to your house, would you change the locks?

              As long as beeper were behaving, which they were.

              Which they were?! They literally are using fake credentials, accessing a system without authorization, using the infrastructure including the real costs of said infrastructure.

              Secure messages are sent and received from all manner of platforms regularly without issue. No Apple required

              Welp, you’ve just provided the closing arguments for Apple’s lawyers and any sort of monopoly concern.

              • AustralianSimon@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                edit-2
                11 months ago

                The argument of security is bunk, Apple are integrating the more widely used RCS protocol into iMessage. It’ll mean they won’t need their own bespoke protocol either. Besides Apple is known for calling stuff security changes when really they rely on obscurity to not notice how insecure components are such as the method iMessage uses to authenticate now.

                When done other apps for messaging will explode in commonality and blow the case open. They just need to finish implementing it.

                https://www.engadget.com/what-is-rcs-and-how-is-it-different-from-sms-and-imessage-202334057.html

          • BearOfaTime@lemm.ee
            link
            fedilink
            English
            arrow-up
            21
            arrow-down
            5
            ·
            edit-2
            11 months ago

            Funny, you trust apple yet iMessage has major flaws that were written about years ago, that Apple has never addressed. https://news.ycombinator.com/item?id=38537444

            And if you read the Beeper devs blog, you’d understand how much you misunderstand about the security and encryption implications. If anying, it increases message security by moving messaging from SMS to encrypted iMessage. https://jjtech.dev/reverse-engineering/imessage-explained/

            He invited Apple to have a third party assess his work. So far Apple hasn’t responded.

            I have no issue with Apple blocking Beeper, it’s their system. It’s interesting to watch, but the DOJ has no reason to get involved here, it hasn’t even been made a legal issue yet.

            If Apple feels it’s a legal issue, they could start legal proceedings. My question is why they haven’t.

            • btmoo@lemmy.world
              link
              fedilink
              English
              arrow-up
              10
              arrow-down
              8
              ·
              11 months ago

              Thanks for the links! I enjoyed reading about how iMessage is built on top of APN. That probably explains why I can reply to messages in arbitrary apps on my Apple Watch. :-)

              However, that doesn’t change my argument. Beeper is not a trusted party in this exchange. When they show my messages to their users, they are decrypting my messages and user activity in a way that is outside my zone of trust. They can then be nice and show it to their users in their app, or they can be nefarious and send that data to any other 3rd party for whatever purposes they want.

              This is a major security hole at the application layer, despite the network layer security that you’ve linked to.

              • Crit@links.hackliberty.org
                link
                fedilink
                English
                arrow-up
                3
                ·
                11 months ago

                One of the parties has to trust the endpoint. People can screenshot or forward you messages to other people unbeknownst to you, but you have to trust the other person not to do so, how is that any different from trusting another person that they choose a safe app?

          • Maggoty@lemmy.world
            link
            fedilink
            English
            arrow-up
            4
            arrow-down
            1
            ·
            11 months ago

            Guess what happens when you do anything outside the Apple ecosystem. Guess what’s happening right now on Lemmy.

            You’re logic would mean never actually using your device.