🤖 I’m a bot that provides automatic summaries for articles:
Click here to see the summary
Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which… isn’t great?
The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it.
The app launched in beta yesterday after being announced earlier this week.
9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text.
Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”
I’m still shocked by the fact that people actually like or even trust Nothing when, personally, the company gives me nothing but bad vibes since the very beginning. This tech-bro-crypto-bullshit / Elon Musk-esque / Cybertruck-esque marketing and attitude is a massive red flag to me. Can’t say I’m surprised about this.
From the FAQ of the Sunbird website (the tech powering Nothing Chats):
Will the app be open source?
Some of the messaging community believes that software that is open source is more secure. It is our view that it is not. The more visibility there is into the infrastructure and code, the easier it is to penetrate it. By design, open source software is distributed in nature. There is no central authority to ensure quality and maintenance and by putting that responsibility on Sunbird, development would not be feasible. Open source vulnerabilities typically stem from poorly written code that leave gaps, which attackers can use to carryout malicious activities.
To help satisfy our own ambitious goals of providing total privacy and security, we are currently undergoing a third party audit that will validate our security, encryption and data policies and plan on receiving ISO 27001 certification after launch.
This was a huge warning sign when the first round of news about Nothing Chats came around, so I’m glad we’re now getting early confirmation that security by obscurity still is a horrible idea and doesn’t work
I feel like I’ve been shilling beeper a lot recently. They may or may not read my messages but at least they open source their inferstructure and contribute to the FLOSS projects they use.
Right! The last I remember hearing the “closed source is more secure” argument was about fifteen years or so ago, so it’s surprising that it is being pulled up from the dead.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
🤖 I’m a bot that provides automatic summaries for articles:
Click here to see the summary
Nothing has pulled the Nothing Chats beta from the Google Play store, saying it is “delaying the launch until further notice” while it fixes “several bugs.” The app promised to let Nothing Phone 2 users text with iMessage, but it required allowing Sunbird, who provides the platform, log into users’ iCloud accounts on its own Mac Mini servers, which… isn’t great?
The removal came after users widely shared a blog from Texts.com showing that messages sent with Sunbird’s system aren’t actually end-to-end encrypted — and that it’s not hard to compromise it.
The app launched in beta yesterday after being announced earlier this week.
9to5Google pointed to a thread from site author Dylan Roussel, who found that part of Sunbird’s solution involves decrypting and transmitting messages using HTTP to a Firebase cloud-syncing server and storing them there in unencrypted plain text.
Roussel posted that the company itself has access to messages because it logs them as errors using Sentry, a debugging service.
Sunbird claimed yesterday that HTTP is “only used as part of the one-off initial request from the app notifying back-end of the upcoming iMessage connection.”
Saved 34% of original text.
I’m still shocked by the fact that people actually like or even trust Nothing when, personally, the company gives me nothing but bad vibes since the very beginning. This tech-bro-crypto-bullshit / Elon Musk-esque / Cybertruck-esque marketing and attitude is a massive red flag to me. Can’t say I’m surprised about this.
From the FAQ of the Sunbird website (the tech powering Nothing Chats):
This was a huge warning sign when the first round of news about Nothing Chats came around, so I’m glad we’re now getting early confirmation that security by obscurity still is a horrible idea and doesn’t work
I feel like I’ve been shilling beeper a lot recently. They may or may not read my messages but at least they open source their inferstructure and contribute to the FLOSS projects they use.
Lol
Dont write or accept bad code then?
Transparency? No, security through obscurity!
Which is obviously what they were counting on, fingers crossed no one notices we’re using http
This is hilarious. How are we supposed to develop good software if everyone is able to show us where all the flaws are?
Right i posted the same thing on another nothing chats thread a few days ago. It’s such a bizarre statement that’s just not true.
Right! The last I remember hearing the “closed source is more secure” argument was about fifteen years or so ago, so it’s surprising that it is being pulled up from the dead.
It’s funny, they could have said they’re not going to release to open source without waving those giant red flags.
Well, how could anyone think that circumventing encryption with a shady middle-man tool wouldn‘t be a privacy nightmare?
EU politicians
They pinky swore that they wouldn’t look.
But to give credit where it’s due, it’s not worse than plain SMS.
SMS is literally the bottom of the barrel though