Hacker News new | ask | show | jobs
by Nextgrid 912 days ago
Nobody is MiTM'ing anything. Individuals willingly provide their credentials and only get access to their own messages - the same messages they can voluntarily take screenshots of & publish by logging into a real Apple device. Furthermore, Beeper's app runs entirely on-device with an optional cloud-hosted bridge that may not even have access to the plaintext.
2 comments
dylan604 912 days ago
It is pretty much universally frowned upon to provide your credentials to a 3rd party. Plenty of places will suspend your account if discovered you have done this. Building a product that relies on receiving user's credentials to 3rd parties is just building your company on a foundation of very dry/loose sand
link
Nextgrid 912 days ago
To be fair, Beeper Mini operates entirely on your device, the optional cloud component is there because there's literally no other way. It's like an e-mail client, or an FTP or SSH client, or a browser. Are those considered bad now?

> Plenty of places will suspend your account if discovered you have done this.

Plenty of services base their business on restricted interoperability and suspend your account not because of security but because they'd miss out on all the "engagement" they get from the official client. This has nothing to do with security.

link
dylan604 912 days ago
In the rare time I'd make a pro-Twit...er, X comment, if the platform makes its money from ads being delivered next to the content and then 3rd party comes up with a way to provide the users an ad free experience, OF COURSE they will not be happy with that. But this isn't specific to that particular platform. Any time you assist users in circumventing a method for the platform to earn money will be viewed as hostile. If you are build a product and pay a licensing fee to offset the lost earnings, then that would be potentially viewed as less hostile even if still not 100% accepted by the platform.

This isn't rocket science.

link
ClarityJones 912 days ago
> Plenty of places will suspend your account if discovered you have done this.

And yet that's not the route Apple chose to take.

link
dylan604 912 days ago
if you can take out the 3rd party tempting Apple users from doing this, then Apple doesn't have to lose those users. doesn't seem very strange for them to do this. however, if it's not something that Apple could control on their end, then they probably still have the "suspend user" club in their bag
link
heavyset_go 912 days ago
Wait until you discover how Plaid works.
link
dylan604 912 days ago
I very much am aware of how Plaid works and will not use it.

Someone recently really tried to get me to use Chime. As soon as the "must use Plaid" part came up in their onboarding, I stopped immediately. It's just a shame that I had already provided Chime so much of my information just to stop there.

link
mplewis 912 days ago
Plaid is also bad.
link
notpushkin 912 days ago
Plaid is bad, but is there another way? (OAuth and PSD2 could be, and IIRC they use that for banks that support it, but many banks don't.)
link
amazingman 912 days ago
Beeper's app is the MiTM. I already have to trust Apple not to abuse their privileged position re: e2e iMessage. Now I have to trust Beeper, Apple, and Apple has to continuously trust/verify Beeper. Privacy and interop are fundamentally in opposition here, and I find Beeper's PR approach regarding this to be misleading at best.
link
Nextgrid 912 days ago
Beeper is as much of an MITM as your e-mail client is one, or your FTP client, or your SSH client, or your browser. Should those also be frowned upon? After all, they both implement a cryptographic protocol and have access to the plaintext.

You also don't have to trust Beeper because you are not obliged to use it. You are welcome to not use it (and buy an Apple device) or even fall back to SMS.

The recipient can themselves decide what level of security they want and whether they trust Beeper (but they don't need Beeper to compromise their security - they can just as well post screenshots of your E2E-encrypted messages with them, make a backup on a compromised computer or leak their Apple/iCloud credentials).

link
amazingman 912 days ago
Email isn't end to end encrypted. FTP and SSH are client-server protocols whereas iMessage is client-server(s)-client.

Do you actually believe these things you're claiming, or are you arguing for the sake of contrarianism?

link
Nextgrid 912 days ago
> Email isn't end to end encrypted

E-mail can be end-to-end encrypted; you can use PGP (of which there are multiple implementations, all compatible) or some other custom cryptographic protocol. Having multiple compatible implementations does in no way prevent it from being secure.

> FTP and SSH are client-server protocols whereas iMessage is client-server(s)-client.

I don't understand how iMessage and FTP are different? Both have a server which mediates communication between different clients. The FTP server accepts & persists files which other clients then see and can download. The iMessage server does something similar but with messages.

> Do you actually believe these things you're claiming

Yes? I believe every person should have the right to choose which software they use to interact with services, whether it's first-party, third-party, or their own creation. I don't know nor care which browser you're using to read & reply to my comments and shouldn't have a say it in in any case - whatever happens on your machine is your own business only.

I don't understand what is so extreme about my position? It's like arguing that being able to open & create Microsoft Office files in anything but a Microsoft-approved version is heresy.

link
amazingman 912 days ago
>E-mail can be end-to-end encrypted; you can use PGP

SMS can be end-to-end encrypted; you can use PGP.

>I don't understand how iMessage and FTP are different?

If I get a new iPhone and set it up without restoring it from a backup and I have NOT opted into "Messages in iCloud" (I personally have not), then my entire iMessage history is unavailable to me on my new iPhone.

>I believe every person should have the right to choose which software they use to interact with services

Then you also believe that forgoing E2E encryption is an acceptable tradeoff for exercising that freedom.

>I don't understand what is so extreme about my position?

It's not that your position is extreme, it's that you don't seem to understand the consequences of that position.

link
Nextgrid 910 days ago
> If I get a new iPhone and set it up without restoring it from a backup and I have NOT opted into "Messages in iCloud" (I personally have not), then my entire iMessage history is unavailable to me on my new iPhone.

Ok, the difference between an FTP server and the iMessage server is that iMessage only buffers the messages for a few hours (until delivered) where as FTP server would persist it for longer. That's completely irrelevant in this case though - both operate as a temporary storage space to which multiple clients owned by different parties connect to, and I still don't understand why it should be acceptable to connect a third-party client to one but not the other?

> Then you also believe that forgoing E2E encryption is an acceptable tradeoff for exercising that freedom.

If there was some technical reason why E2E wasn't possible then sure, but there's none - as both GnuPG, browsers, SSH clients, XMPP, and Beeper all demonstrate, a third-party client can just as well implement an E2E protocol, and the only reason we can't have that with iMessage is because it would compromise Apple's vendor lock-in.

> it's that you don't seem to understand the consequences of that position

Which are? I still don't understand how Beeper being out there affects me negatively as an Apple user? Even if we assume Beeper actually had some security vulnerabilities and was literally sending message contents in plain unencrypted form over an untrusted network, it still wouldn't be any worse than texting those people via SMS, which is unencrypted by design?

link