Sunbird Security Isn’t Nothing

This might get lost in the OpenAI earthquake happening, but it’s important so I wanted to post about it. (And gosh! A Starship launch, which is amazing. We live in interesting times.) On Tuesday, Nothing, who makes the cleanest and most interesting Android phones (and whose earbuds sound great), announced via my favorite tech video channel, MKBHD, that the phones would support iMessage on Android, so you can be a blue bubble with your friends. This got a lot of pickup!

It got a little buried, though, because on Thursday Apple said it was going to support the RCS standard, which Google and others had been lobbying hard for. However, it’s doing the bare minimum: RCS isn’t actually encrypted, and Apple’s not doing the Google proprietary thing to encrypt it, and so non-Apple people still get green bubbles. (More on that later.)

iMessage on Android (and Windows!) is on the roadmap for Texts, the all-in-one messaging platform Automattic acquired last month. The Texts team is obsessed with security, and that’s part of why the platform is desktop-only right now—to keep everything 100% client-side and fully encrypted in a way that could never be accessed by the team, or have any compromise in the middle, they’ve been taking their time to get the engineering right on the mobile versions. So they poked around the Sunbird app that Nothing partnered with, and it wasn’t pretty. Here’s Texts founder Kishan Bagaria:

The BlueBubbles thing might be a mistake, but seeing the unencrypted data on the wire definitely wasn’t. Sunbird replied and doubled down on Twitter, citing some ISO standard and claiming it was “encrypted.”

Okay! Now you’re caught up to Friday. Texts says Sunbird isn’t secure, Sunbird says it is. He said, she said, right? Not quite—there are receipts. This blog post lays out even more than Kishan tweeted originally and shares code so you can confirm this yourself. tl; dr: Sunbird puts all your iMessages and attachments into Firebase.

What should you take away from this?

Nothing (the company) still makes amazing hardware that you should absolutely check out and use. It’s my favorite Android experience. I think the company got bamboozled by Sunbird, and unfortunately this went mainstream on MKBHD.

Sunbird appears either not to understand security or to lie about it, and probably misled Nothing. I would recommend double-checking what that team claims in the future.

Who should we actually be upset with?

Apple.

You shouldn’t need to jump through all these hoops to have a blue bubble on iMessage. Design can create great things; it can also harm. Apple’s design decisions to “magically” upgrade SMS or texts or RCS into iMessage, which is better and more secure, creates a green-bubble ghetto that’s also a terrible user experience for anyone not on an Apple-made device.

I’ve heard stories of teenagers being ostracized because they couldn’t afford an iPhone, of group chats rejecting people who turn the chat from blue to green. I know that sounds petty, but do you remember middle school? It’s about status, and Apple knows that. Everything they make bleeds status and signaling. They’re the best in the world at it, and I should know—I’m typing this post from a M3 Max black MacBook with 128GB of RAM. But while status signaling with amazing hardware and design touches is harmless, in software and social settings in can be harmful.

Regardless of how it started, today the green bubble indicates cheaper, lower-status, less secure. Apple’s half-hearted support of RCS just continues this. Sunbird (and others) shouldn’t need to jump through so many hoops around this stuff by reverse engineering. Apple should open up iMessage APIs so it can be natively supported just like every other 100M+ messaging platform is: Telegram, Signal, WhatsApp, et al. Teens who can’t afford or don’t want an iPhone should be able to have an app that lets them connect with their friends as peers, securely and with all the features that are easy to support in messaging.

Tim Cook, Apple, we love you. Trillion-dollar company, and lots of room still to grow. Allowing iMessage/FaceTime to interoperate (like it used to!) might take .01% off your growth rate, but it’s the right thing for humanity. Yes, I know Google is shady too, and they’re locked in this smartphone death match with you. But take person-to-person communication out of the struggle, make it a DMZ, and be content to compete in all the other areas you’re currently crushing: design, silicon, Continuity, security, privacy, customer experience, retail stores, spatial audio, the list goes on.

I have no idea how to get in touch with YouTubers, but Marques, if you see this, I’m happy to chat about the future of technology, open source, freedom, and privacy.

Update: As I was writing this, the Nothing Chats app has been pulled from the Play store.

Update 2: From my colleague Batuhan:

Texts Joins Automattic

Texts is a fun application (desktop only for now) that brings all of your messages into one inbox. It currently supports iMessage, WhatsApp, Telegram, Signal, Messenger, X/Twitter DMs, Instagram DMs, LinkedIn, Slack, and Discord DMs, with more on the way soon. It runs entirely on the desktop so it’s super fast and secure. It’s founded and led by Kishan Bagaria, a really unique entrepreneur and technical talent, and has a slate of amazing investors including Lachy Groom, Guillermo Rauch (former Automattician!), Sahil Lavingia, and many others—and I’m excited to announce that it’s now part of Automattic!

This was announced today on the Pivot podcast with Kara Swisher and Scott Galloway (my part starts 48:50 in), and also covered in The Verge, TechCrunch, MacStories, and a few others.

Today is also my 18th anniversary at Automattic! So, an exciting day all around.

Using an all-in-one messaging app is a real game-changer for productivity and keeping up with things. Texts is a paid app, with discounted student pricing, and I think a lot of people will find value in it. It’s quickly become one of the top three apps I spend time using.

This is obviously a tricky area to navigate, as in the past the networks have blocked third-party clients, but I think with the current anti-trust and regulatory environments this is actually something the big networks will appreciate: it maintains the same security as their clients, opens them up in a way consumers will love and is very user-centric, and because we’re committed to supporting all their features it can actually increase engagement and usage of their platforms.

We’re still working out everything for mobile, so if you’re looking for the all-in-one experience on iOS or Android in the meantime, I recommend checking out Beeper. It really is great to have everything together.

If you’re a reverse engineer hacker that is interested in working with a super-small elite team in this space with the fun of a startup and the air cover of Automattic, get in touch with Kishan on Twitter DM or email (kb at texts). Here’s a fun video for Texts. 😄

Wowza!

Okay, I’ve seen a lot of things in my life, but this has me fairly floored. I was at an EcoAmerica board meeting dinner and afterward instead of calling an Uber like I usually would, I tried a self-driving car, a Waymo. (The name inspired by my friend, Jaime Waydo.) As I got home I was so excited to tell my Mom what just happened.

I feel like every cell in my body is charged, it’s like the first time I got a script to run, or committed code into b2/cafelog, this is definitely a before and after moment. Here’s a video as the car arrived and I got out. I’m really at a loss for words. The “wow” you hear me say in one of my most genuine in my life. The thing is I know these self-driving cars exist, I’ve seen them around San Francisco forever, but the experience of being picked up and dropped off by a robot navigating the tricky SF hills and streets just hits different.

“The future is already here – it’s just not evenly distributed.”

William Gibson

One thing that always brings me back to San Francisco is you feel like you’re living in the future. Tonight was no exception.

Cost of Spam

Twitter/X is testing charging users $1/year with the idea that will keep out bots and spam. It’s an appealing idea, and charging definitely does introduce a “proof of work” that wasn’t there before, but the history of the web shows this is not really a big deterrent. Domains cost money, usually a lot more than a dollar a year, and millions are used for spam or nefarious purposes. The spammers obviously thought their benefit would be more than the cost of the domain, or they use stolen credit cards and identities. Charging may cause a short-term drop in bots while the bad guys update their scripts, but the value of manipulating X/Twitter is so high I imagine there is already millions of dollars being spent on it.

Long term to keep a platform healthy you really have to take a nuanced look at behavior and content, like Automattic does with Akismet, and have a fairly sophisticated trust and safety operation with great engineers. T&S is really important, not an enemy of progress, which would have been my chief edit to the otherwise exciting The Techno-Optimist Manifesto by Marc Andreessen. (If you missed Marc’s Why AI Will Save the World, that’s also an excellent read with dozens of references you can go down a rabbit hole with.)

Do the work

There’s a way to run a company like managing a government, with reports, surveys, and abstractions.

There’s a way to run a company like building a ship, where every board and seam has to be understood and checked.

Both can be successful, but you need to decide which you want to do.

Preserving Harvard’s Blogging History

This month, Automattic had the privilege of working with the Berkman Klein Center for Internet & Society (BKC) to migrate their early 2000s blogging platform over to our Pressable infrastructure. (Pressable is a small host Automattic runs to develop our WP.cloud infrastructure, it gets you all the performance and security of our high-end WP.com plans, but with a more plain-vanilla WP interface.)

The Harvard Blogs network that the Center launched back in 2003 was an important milestone in internet history. It provided a platform for over 1,500 high-impact bloggers—including Harvard students, faculty, fellows, staff, and alumni—to publish and engage in discussion.

We were alerted to BKC’s plans to decommission blogs.harvard.edu by none other than Dave Winer, the pioneering developer behind blogging, RSS, and podcasting, and a Berkman Center fellow from 2003-2004. As BKC shared in their announcement, the network played a formative role for many now-influential bloggers and internet figures. It also contributed to the rise of podcasting and projects like Ushahidi.

When we learned BKC planned to retire the Harvard Blogs platform, we wanted to ensure this valuable archive of early internet culture was preserved. We offered to host the network’s blogs indefinitely so they can remain publicly accessible for years to come.

The Harvard Blogs multisite consisted of around 1,500 blogs. To move it over, we systematically migrated the archive to our servers and then upgraded the network to the latest version of WordPress (we also updated a handful of plugins and themes and tested the updated versions against the original sites hosted by Harvard).

Much like our recent unveiling of the 100 Year Plan for WordPress.com, the preservation of the Harvard Blogs archive demonstrates Automattic’s commitment to protect vital pieces of internet history and culture for generations to come. By preserving these blogs, we hope to inspire future generations of online voices.

There was something really nice about the neighborhood of blogs the Harvard blog network provided that I hope they or another university tries again sometime. Harvard is now 387 years old, I hope these blogs last at least that much longer (that would be 2,410 AD!).

Zeynep Tufekci has a great article, One Thing Not to Fear at Burning Man, that covers well what I have experienced as well growing up in Houston through hurricanes and other natural disasters—that in times of need people help each other in ingenious ways.

I Love WordCamps!

One of the cooler things the WordPress community started doing in 2006 was putting on these events we called WordCamps. A big one is about to kick off in National Harbor, Maryland (which is basically Washington DC, but we’re calling it National Harbor for some reason).

You might be wondering where the name came from: Tim O’Reilly, of the O’Reilly books that so many of us learned from, hosted a hacker event called Foo Camp but it had limited capacity, and was therefore something of an exclusive invite (one time I eventually went I slept in a sleeping bag in an office). Tantek Çelik had been invited the year before, but not in 2005, and I had never been invited, so a group of us put together a more “open source” event in response called BarCamp. (The name was an allusion to the foo/bar concept in teaching programming, and the picture on that Wikipedia page was in the living room of my first apartment in San Francisco, as you can tell by the stand-up piano and Thelonious Monk poster.)

Foo had the idea of a conference created on-the-fly by its organizers, and also had a radical event where there wasn’t even lodging but all that mattered was getting people together. Bar took that format and opened up the invite list, and did it quickly with just a few weeks of planning. They also open sourced the format so BarCamps could be hosted anywhere in the world, and many were. The following year I riffed on that and made the first WordCamp in San Francisco, at the Swedish American Music Hall, the same place Stewart Brand hosted the first hackers conference in the 70s. (We didn’t know that at the time, it was just a coincidence.)

WordCamp took the everyone-is-welcome from Bar, mixed it with the attendees-create-the-conference from Foo, added a little more structure and planning so we ended up with these really groovy community-organized events all over the world where people come together to learn, contribute, get to know each other, and have fun. WordCamp San Francisco evolved into WordCamp US, our flagpole event for North America. (I like that US can mean “us” as well as United States.) There have been hundreds of WordCamps around the world, and when we were getting started I used to go to all of them; if someone put one together I’d cram into an economy seat and fly there. I can’t make it to all of them anymore, but I still go as many as I can, and they’re some of my favorite days of the entire year.

It’s so cool to see a group of people from the eclectic backgrounds come together because we love making the thing that allows people to make the thing. (WordPress.) You’ll see CEOs of multi-hundred million ARR companies brushing shoulders with techno-anarchists, all brought together by a common hope and belief in the four freedoms of open source and the mission of WordPress—to democratize publishing, put the best tools in the world in the hands of everyone, for free and for freedom.

This year’s WordCamp US is exciting to me for a bunch of reasons. One, I love spending time with other contributors to open source. Second, WordCamp organizers iterate and learn, and so every year I’m excited to see what’s being trialed and what’s improved, because they just keep getting better and better. Third, we’re doing a community summit beforehand for the first time in a while, which is why I’m already in Maryland. Finally, on the amazing schedule are two speakers I’ve invited to bring something new to our milieu.

Ken Liu is one of my favorite sci-fi writers and will be giving an amazing talk weaving together the history of narrative craft and modern publishing and technology. I’ve read almost everything he’s written or translated, and seen him talk once before, and couldn’t be more curious to hear what he’s bringing to the WordPress community.

Simon Willison is an engineer and blogger I’ve followed since the earliest days of WordPress, and recently he’s been one of the most interesting explorers in the new world of AI and LLMs. He’ll be sharing with us how to tap into this new alien intelligence, how it can accelerate our coding, security, and mission to democratize publishing.

So if you ever have a chance to go to a WordCamp, take it! It may be too late for this one, but you can follow the livestream (visit the site once the conference starts), and plan for next year. We also make sure all the talks accessible on WordPress.tv later.

Foo Camps still happen, by the way, and have branched into science and such, and who gets invited is a whole deal. They’re still awesome.

I hope what people see here is that creativity and doing generates more creativity and doing.

Chorus and WordPress

I woke up this morning to a lot of people sending me the link to today’s Axios story reporting that Vox Media (which includes The Verge, New York Magazine, Polygon, and many other outlets) is moving from its proprietary CMS, Chorus, to WordPress VIP, Automattic’s open source solution for large publishers.

This is very exciting—not just for the obvious reasons, but because I’ve been a fan and reader of Vox since they started. As a tool-maker, one of the greatest honors is when fantastic people choose your tools to practice their craft. I’m also sure their feedback will make WordPress better! Vox Media folks, if there were any Chorus features you loved, drop them in the comments and we’ll make sure they can become a plugin or get baked into WP core. And if anyone has built amazing features in other CMSes you’d like to see in WordPress, we’re hiring!

As I said in my recent conversation with Dries Buytaert and Mike Little celebrating WordPress’ 20th anniversary, and with a hat tip to Fight Club, I believe that on a long enough timeline, the survival rate of proprietary software drops to zero. I don’t fault anyone for starting a CMS—I’ve been guilty of that myself a half-dozen times, not counting WordPress—but while something custom-built may seem better for your needs in the beginning, that never lasts. Unless you invest heavily in engineering (like tens of millions per year), the steady improvement of a healthy open source community, like the tens of thousands of developers working on WordPress every day, will eventually catch and surpass any proprietary system.

Not all open source projects achieve the famed positive flywheel; it takes decades, and most will fail in the process. The ones that reach exit velocity, though, become part of the fabric of civilization. At that point, it makes more sense to build on top of them rather than recreate the wheel. You’ll still get where you’re going, it’ll just be a smoother, faster ride.

(Midjourney prompt: A chorus of people using WordPress.)