Relying on the assumption of an “authorized client” is fundamentally not a reliable security or anti-spam mechanism, as this Beeper saga demonstrates. A curious 16 year old casually figured out how to make a client be “authorized”, and a motivated party just demonstrated basic interference from Apple can’t stop it from continuing to practice guerrilla interoperability. Apple might be able to sue Beeper out of existence, but lets not pretend this approach is any meaningful defense against spam.
The only thing this really demonstrates is that non-update-able software DRM doesn't work and Apple didn't introduce a robust hardware attestation mechanism early enough.
> Relying on the assumption of an “authorized client” is fundamentally not a reliable security or anti-spam mechanism, as this Beeper saga demonstrates.
That's fundamentally false given how Apple is a hardware company, and going forward they can ship a cryptographically secure hardware attestation mechanism. The issue is simply that older Apple devices were shipped without this capability, and Apple doesn't want to break them to prohibit Beeper.
But make no mistake, in a few years when those older devices are fully deprecated, there is nothing preventing Apple from shipping essentially uncrackable hardware attestation.
Do we know that beeper wasn’t cut off by e.g. an automated spam algorithm?
I saw lots of technical discussion in previous threads that stated that they were using the same faked hardware ID for all messages… that would seem an obvious red flag.
Beeper Cloud was running on actual Apple hardware until October 2023, which is when they switched to the software emulation approach that Beeper Mini is also employing.
Yes, but if Apple's complaint is truly about security then they should have blocked it even harder before, because the cloud version wasn't E2EE. Their behavior reveals that security is not their real concern here.
Structurally, the cloud version was you logging into your iMessage account on a friend's computer. How could Apple possibly prevent that?
I think it actually makes a pretty strong case for Apple opening up a better interface that lets people achieve the same outcome they clearly desire so much, they'd even compromise their own security to achieve it.
Apple had plenty of ways to detect a datacenter full of Mac minis logging into iMessage accounts from all over the world, multiple on each machine, with custom software automating message sending, which I believe is even open source so Apple could look at it.
