Hm, the breach contained metadata, but not message contents. RCS does not attempt to defend against metadata surveillance.
Is the author's point, simplified, "any centralized collection of communications data, unencrypted, is vulnerable?" They mention E2EE, but even some of those still present centralized, unencrypted metadata.
Maybe. But really, to me, the author's real point is "Why are you people forcing Apple to support RCS? Leave them alone" and he'll draw longer and longer bows to justify it.
Gruber has had several moments where he's stridently defended Apple and denied issues only for it later to be revealed that there absolutely was an issue.
The last straw for me was the LassPass App Store issue a few months ago (where a scam app was approved and took the top spot in the store, over the official app).
Gruber, on this:
> > Instead, the scam LassPass app tries to steer you to creating a “pro” account subscription for $2/month, $10/year, or a $50 lifetime purchase. Those are actually low prices for a scam app — a lot of scammy apps try to charge like $10/week.
Emphasis mine, but are you kidding me? He actually tries to downplay the issue by saying "Well, at least you wouldn't be scammed out of that much money".
And then doubles down, by claiming, with absolutely no knowledge whatsoever:
> It doesn't look like the app was intended to steal credentials.
Why do you think that is plausible reasoning? To me, the credentials are what you're intending to steal with the scam app. You might make some money from the IAPs, but that's a cherry on the top (and likely the actual reason why the amounts were low, so it didn't raise more red flags).
I've seen yoga practitioners who can't contort themselves as much as Gruber can when trying to defend/promote Apple and their interests.
The thing is Gruber tried to imply/claim that there was no reason to believe that there was an intent to steal credentials, i.e. the only part of the scam was the financial aspect.
So no, I stand by it. If by his belief, not mine, that the app was purely a financial scam, he literally downplayed it, effectively, as "even if you're being scammed, you could have been scammed more elsewhere", and most of the rest of his writing was implying people are being overly critical of Apple.
As for an uncharitable take? Were it Gruber's first forays into defending Apple in the face of evidence, maybe. After screen staining, batterygate, butterflygate, logic board issues, and several more (hell, he even defended "You're holding it wrong"), all of which Gruber insisted these were all user issues, non-issues or random events, several of which ended up resulting in warranty extensions and/or recalls, I'm less inclined to be ... 'charitable'.
I really don't understand why people want to tie their messaging to their mobile service provider. This seems best as two jobs for two companies. Then I can switch either at will.
For the same reason they tie their phone calling to their mobile service provider.
I don't like tying communications to phone numbers either because that means you need phone service to communicate, but that ship has sailed, and there are many people who barely use email at all.
I think it comes down to the fact that every mobile phone supports at least SMS if not RCS out of the box -- no new apps, no signing up for new services, etc.
This. The thing I (in the US) really like about SMS is that everybody can do it. With apps, I'd have to have a number of different ones and remember who is using which one. It seems like a huge pain in the butt to me.
i'm a fan of E2EE, but the AT&T hack did not involve intercepting RCS messages. It's sort of like saying "Chewbacca is a Wookie, therefore you shouldn't use RCS."
See my other comment. Gruber doesn't say it involved accessing RCS, but he does write nearly 2,000 words strongly implying and reinforcing that "Apple knows best" and that if they say they shouldn't have to support RCS, you should trust them.
FTA: “the argument against RCS is strong and simple: it doesn’t support end-to-end encryption”
“SMS and traditional telephone voice calls lack any encryption at all, but they’re firmly established. Just like email. But anything new should only be supported if it’s fundamentally based on E2EE.”
“Perhaps, someday, the RCS spec will support an open standard for E2EE. I’m not holding my breath for that. For one thing, industry consortiums tend not to produce good solutions to hard problems, and an open standard for E2EE messaging is a very hard problem.”
So, they argue
- new communication standards must be end-to-end encrypted
- that open end-to-end encrypted standards cannot be developed
If both are true any new communication standards must be proprietary.
I don’t think that’s a conclusion shared by society.
That is the recently-ratified RFC9420, or Messaging Layer Security [1]. Matrix is supportive [2], Google is supportive [3], and Google Messages is actively gaining support [4].
Is the author's point, simplified, "any centralized collection of communications data, unencrypted, is vulnerable?" They mention E2EE, but even some of those still present centralized, unencrypted metadata.