Huge marketing campaign, influencers and all and they didn't even get the basics right
Not only was the app not end-to-end encrypted, as claimed numerous times by Nothing and Sunbird, but Sunbird actually logged and stored messages in plain text on both the error reporting software Sentry and in a Firebase store. Authentication tokens were sent over unencrypted HTTP so this token could be intercepted and used to read your messages.
Huge marketing campaign, influencers and all and they didn't even get the basics right
Wow, that is incredibly bad. That’s what I’d expect from someone’s amateur hobby project or something. I just can’t comprehend how they thought that was acceptable. I would be very worried if I...
Wow, that is incredibly bad. That’s what I’d expect from someone’s amateur hobby project or something. I just can’t comprehend how they thought that was acceptable. I would be very worried if I was using a Nothing phone.
The entire idea of the application was nonsensical. My messages going to a private data center full of Mac minis to subvert apple’s security? That’s really a product you expect people to pay for?...
The entire idea of the application was nonsensical. My messages going to a private data center full of Mac minis to subvert apple’s security?
That’s really a product you expect people to pay for? Like come on.
Truthfully, most people don’t care about the security of their messaging system. Otherwise, everyone would use Signal. But billions of people use Facebook products, which are literally designed...
Truthfully, most people don’t care about the security of their messaging system. Otherwise, everyone would use Signal. But billions of people use Facebook products, which are literally designed from the ground up to harvest your data.
Most people just want to talk to their friends and share messages. Features like read receipts and high quality video/images matter way more to almost everyone.
My understanding is that Beeper does something like this, though partly that is an assumption that they must have some data center of Mac Minis because I don't know how else they can relay...
My understanding is that Beeper does something like this, though partly that is an assumption that they must have some data center of Mac Minis because I don't know how else they can relay iMessage chats.
For their iMessage bridge, it specifically says to run on a Mac, so I assume to offer this service they must have quite a few macs with this bridge running.
It seems Beeper is a bit more responsible with how they approach things than Sunbird was, though I don't think any service offering iMessage relay can offer the same security as if you had a native iMessage client.
It seems the main reason Sunbird got so much profile to me is that it was actually going to be a public thing (maybe it was only available for Nothing phones, not sure), whereas Beeper is more like invite only right now. I signed up on Beeper's site back in August and still haven't gotten an invite. I was mostly just looking at it out of curiosity rather than a strong desire to use it, so I didn't really pursue further.
For me, the lack of the same secure end to end encryption you would get with a native iMessage client isn't so much the concern because currently I'm sending SMS to iMessage clients from my Android. I have literally no idea where my SMS messages go or who might have access to them or anything of that sort, but it seems Beeper would actually be more secure than SMS.
The last time I used Beeper, my messages and data were being routed through servers in Iran. I immediately removed all connections and deleted the app.
The last time I used Beeper, my messages and data were being routed through servers in Iran. I immediately removed all connections and deleted the app.
re: the invite list - i signed up for it on 30/6/2021 and only got an actual invite on 02/05/2023. now, that could be because they werent interested in my usecase (since you have to say what...
re: the invite list - i signed up for it on 30/6/2021 and only got an actual invite on 02/05/2023. now, that could be because they werent interested in my usecase (since you have to say what services you'll be using when you ask for an invite) or the invite list is that slow but i'd be prepared to wait a bit
i used beeper for a short while but wound up stopping recently since they now only support google messages instead of the old sms system. since i just wanted to be able to read/send texts from my desktop - i switched to using something local called kde connect
I could see it making sense as a locally run application for people who already own a Mac or are willing to procure one, as long as it verifiably isn’t sending messages up to the mothership....
I could see it making sense as a locally run application for people who already own a Mac or are willing to procure one, as long as it verifiably isn’t sending messages up to the mothership. People will pay “local server” apps, as has been proven by the likes of Plex.
The market for that isn’t as large though which is I guess why they went the direction they did.
This is actually already a thing, it’s called BlueBubbles, it’s open source and self hosted, and very easy to use for an open source self hosted project!
This is actually already a thing, it’s called BlueBubbles, it’s open source and self hosted, and very easy to use for an open source self hosted project!
Per google, Emphasis in the original. I recognize you may feel that Google is lying, but it'd be ideal to include something about how Google says they don't do that in your original post.
Per google,
When you use your personal Google account and open the promotions or social tabs in Gmail, you'll see ads that were selected to be the most useful and relevant for you. The process of selecting and showing personalized ads in Gmail is fully automated. These ads are shown to you based on your online activity while you're signed into Google, however we do not process email content to serve ads.
Emphasis in the original.
I recognize you may feel that Google is lying, but it'd be ideal to include something about how Google says they don't do that in your original post.
When I first saw the product announcement making it rounds, I found this lovely red flag in their FAQ about why they will never open source any of their code: It is my opinion that anyone who...
Exemplary
When I first saw the product announcement making it rounds, I found this lovely red flag in their FAQ about why they will never open source any of their code:
Some of the messaging community believes that software that is open source is more secure. It is our view that it is not. The more visibility there is into the infrastructure and code, the easier it is to penetrate it. By design, open source software is distributed in nature.
It is my opinion that anyone who believes security by obfuscation is valid security hygiene does not understand security. This screams “we don’t really know what we are doing.” They could have listed any number of defensible reasons why not to open source their code base; however, mentioning security is the one reason that is demonstrably false and inaccurate.
For those who may not be versed in open source and security and may be convinced towards the validity of Sunbird’s claims, take a look at OpenSSL or OpenSSH or any number of open source libraries used to run the secure Internet.
I study software engineering and this shit wouldn't be accepted for second year security. Truly mindboggling. This is unworthy of any software developer, let allone a big company.
I study software engineering and this shit wouldn't be accepted for second year security. Truly mindboggling. This is unworthy of any software developer, let allone a big company.
It took less than a week from when the “this probably isn’t going to go well” article was published. Did anyone expect this to go differently? “Not a disaster” differently, not “not this, bad this...
Not vetting your vendors properly is complicity, at least in my opinion. I don't think they can really hide behind blaming Sunbird when this would have been caught by even the most modest security...
Not vetting your vendors properly is complicity, at least in my opinion. I don't think they can really hide behind blaming Sunbird when this would have been caught by even the most modest security audit.
Huge marketing campaign, influencers and all and they didn't even get the basics right
Wow, that is incredibly bad. That’s what I’d expect from someone’s amateur hobby project or something. I just can’t comprehend how they thought that was acceptable. I would be very worried if I was using a Nothing phone.
The entire idea of the application was nonsensical. My messages going to a private data center full of Mac minis to subvert apple’s security?
That’s really a product you expect people to pay for? Like come on.
Truthfully, most people don’t care about the security of their messaging system. Otherwise, everyone would use Signal. But billions of people use Facebook products, which are literally designed from the ground up to harvest your data.
Most people just want to talk to their friends and share messages. Features like read receipts and high quality video/images matter way more to almost everyone.
My understanding is that Beeper does something like this, though partly that is an assumption that they must have some data center of Mac Minis because I don't know how else they can relay iMessage chats.
https://www.beeper.com/faq#how-does-beeper-work
https://github.com/mautrix/imessage
For their iMessage bridge, it specifically says to run on a Mac, so I assume to offer this service they must have quite a few macs with this bridge running.
It seems Beeper is a bit more responsible with how they approach things than Sunbird was, though I don't think any service offering iMessage relay can offer the same security as if you had a native iMessage client.
It seems the main reason Sunbird got so much profile to me is that it was actually going to be a public thing (maybe it was only available for Nothing phones, not sure), whereas Beeper is more like invite only right now. I signed up on Beeper's site back in August and still haven't gotten an invite. I was mostly just looking at it out of curiosity rather than a strong desire to use it, so I didn't really pursue further.
For me, the lack of the same secure end to end encryption you would get with a native iMessage client isn't so much the concern because currently I'm sending SMS to iMessage clients from my Android. I have literally no idea where my SMS messages go or who might have access to them or anything of that sort, but it seems Beeper would actually be more secure than SMS.
The last time I used Beeper, my messages and data were being routed through servers in Iran. I immediately removed all connections and deleted the app.
re: the invite list - i signed up for it on 30/6/2021 and only got an actual invite on 02/05/2023. now, that could be because they werent interested in my usecase (since you have to say what services you'll be using when you ask for an invite) or the invite list is that slow but i'd be prepared to wait a bit
i used beeper for a short while but wound up stopping recently since they now only support google messages instead of the old sms system. since i just wanted to be able to read/send texts from my desktop - i switched to using something local called kde connect
I could see it making sense as a locally run application for people who already own a Mac or are willing to procure one, as long as it verifiably isn’t sending messages up to the mothership. People will pay “local server” apps, as has been proven by the likes of Plex.
The market for that isn’t as large though which is I guess why they went the direction they did.
This is actually already a thing, it’s called BlueBubbles, it’s open source and self hosted, and very easy to use for an open source self hosted project!
I wasn't expecting it to go well but I thought it was just going to be storing/selling messages not the rest of that shit show.
I feel like that alone would be a huge deal, is there any messaging service that actually sells user message contents to third parties?
Maybe I'm using "selling" as an overly broad term here,
but as an example Google scans the contents of all your emails to market to you better.Per google,
Emphasis in the original.
I recognize you may feel that Google is lying, but it'd be ideal to include something about how Google says they don't do that in your original post.
Well, I stand corrected.
No worries man. Google is so good at understanding things from search that it often seems like they must be reading your correspondence.
When I first saw the product announcement making it rounds, I found this lovely red flag in their FAQ about why they will never open source any of their code:
It is my opinion that anyone who believes security by obfuscation is valid security hygiene does not understand security. This screams “we don’t really know what we are doing.” They could have listed any number of defensible reasons why not to open source their code base; however, mentioning security is the one reason that is demonstrably false and inaccurate.
For those who may not be versed in open source and security and may be convinced towards the validity of Sunbird’s claims, take a look at OpenSSL or OpenSSH or any number of open source libraries used to run the secure Internet.
Haha, that's awesome! Thank you for sharing it. That is an absolutely absurd statement.
I study software engineering and this shit wouldn't be accepted for second year security. Truly mindboggling. This is unworthy of any software developer, let allone a big company.
You'd be surprised how many corners are cut in the industry with the intent of moving fast, security usually being the preferred choice to cut from.
It took less than a week from when the “this probably isn’t going to go well” article was published.
Did anyone expect this to go differently? “Not a disaster” differently, not “not this, bad this fast” differently.
Fyre Festival vibes
Wasn't there another "encrypted" chat app that this exact same thing happened with earlier this year??
Pretty bad situation overall. Is Nothing complicit, or just negligent in vetting Sunbird's claims?
Not vetting your vendors properly is complicity, at least in my opinion. I don't think they can really hide behind blaming Sunbird when this would have been caught by even the most modest security audit.