150 comments

[ 2.5 ms ] story [ 239 ms ] thread
It just works..

It's been good to seeing Bump innovate again over the past few months.

Heh--wait 'till you see what we've got up next. :-)

And, of course, we're hiring. Come help us do this crazy stuff. Email me at jamie@bu.mp

I don't get why this is a good idea (or how it works*). Anyone care to explain?

Edit: I'm wondering how it works in a technical sense.

It looks to be based on matching the location provided by your browser with the location of your phone.

I don't know whether it's a good idea or not, but it's certainly a unique concept.

Accurate-enough (sub-second in my case) timing of events + physical proximity (both your browser and the app ask for your location) = a near guarantee that your browser session + your phone is a unique pair. It also asks for confirmation on both the phone and browser to pair the first time.

There's no real chance of this being man-in-the-middled since you have to confirm on both devices. And they're being intelligent about it - I just tried it with two laptops at once, and you get "someone's device" instead of the name of your iThing, and your iThing says "please try again" like this: http://cl.ly/1O33430M0i2c0i2T0z2U

Once you've approved, they have a browser + app pair of cookies for future pairings (not really exploitable, as it runs over https), which strengthens the single-pair guarantee to the point where it's about as good as it gets in any security model.

There's no real chance of this being man-in-the-middled

I'll need more convincing.

Once you've approved, they have a browser + app pair of cookies

Exactly what's keeping the cookie on the browser and the phone from being copied?

You must be leaving out some details. This doesn't strike me as "good as it gets."

>* Exactly what's keeping the cookie on the browser and the phone from being copied?*

SSL. Either you trust it or you don't. Similarly, either you trust the CAs to work (preventing a real MITM on https traffic) or you don't. Which makes this as secure as your banking site, except for the initial pairing, which I dare say they do more safely than any bank I've seen.

This is a gimmick. On the other hand the whole app is a workaround for the neutered iPhone communication stack.

Uploading something to a server just to share it with someone standing near you is ridiculous.

You mean like chat or email?
You /msg or email people standing next to you?
ever work in an office?
I have but I had a door so maybe that's what is different. But still I don't know why I would stand next to someone and chat / email them...
I do. When sending a link for example, this is the path of least resistance. Yes, I could read it out and have the other person type it (which would take ten times as long). And yes, if I wanted to use bandwidth optimally, I would make a direct connection to their device and send it that way. But up to a certain length of data, the overhead of making that specialized connection outweighs any inefficiency of communicating through a middleman.
Yes, emailing/chatting is also ridiculous. And so is sending a package when you want to hand someone an object.

Terribly inefficient.

This could be a good way to quickly upload multiple screenshots to the computer.
Yeah. It does work, and it doesn't seem like a bad thing. The problem is that instant upload reduces the functionality on Android by a ton.
Similarly on iOS, iCloud handles moving photos from my phone to my Mac. This, however, would be useful for passing photos to friends or people I'm working with.
I walk into a room full of computers... Windows, Linux, Mac, iPads, Android Tablets. I have a device in my hand that has photos I just took. In what world is transferring those photos to a specific other device in that room easy?

Sure, I can set up MY home computer to automatically pull pics from my phone, but I want to put it on Bob from work's computer... or the boss' iPad.

I would turn to email or dropbox before, but at first glance, this is a pretty damn elegant solution.

I log into my Google+ account and all the pictures on my phone are magically there.
1. open google plus on bob-from-work's computer. 2. log out bob-from-work's account. 3. log in your account (type in username / password) 4. navigate to your recent photos (are they there yet? you just took them...) 5. download them yourself / wait while bob-from-work downloads them. This whole time bob-from-work can see all your other recent photos as well. 6. make sure you log out.

or:

1. open bump 2. go to the website on bob-from-work's computer 3. tap the photos you want to share 4. smack the spacebar with your phone.

>Uploading something to a server just to share it with someone standing near you is ridiculous.

Not really. For one thing, it greatly simplifies security concerns for the user without compromising anything.

No, there is always a compromise in security and privacy as part of the price of convenience.
There is no additional compromise. If you go opening up sockets directly between devices, you open yourself to new exploits if you don't implement that communication correctly. If you use a server in the middle, you can just use HTTP and leverage built-in, strongly vetted web browser code that was already there. And if that code has security holes, they were already available to attackers before your app came along.

It's the difference in immune system exposure between a pill and a hypodermic needle.

There is no additional compromise.

What you say is generally true for file transfer mediated by server. I am unconvinced it's specifically true for Bump. What I said still stands: security is inversely proportional to convenience. Often security is purchased up-front, paid for by inconvenience. With Bump, you "pay" via an app which uses a coincidence in time and space to "authenticate" you. Such a transaction usually works out, and is probably no riskier than giving clerk you don't know your credit card. (Another place where one gets convenience in exchange for privacy and security.)

In the case of transactions with serious downsides, should they go wrong, then users should be aware where there are compromises in security. Denying the truth of this is to spread ignorance.

Well, I have no idea if Bump uses HTTP and such to do this via vetted methods or if it is really secure in terms of opening your device up to attack vectors. I was making the general point that transferring files between proximal devices by uploading to an intermediate server isn't inherently pointless.

I do not think that Bump is attempting to be secure in terms of keeping your images from being intercepted or that it is right to even describe what it does as "authentication". It would be more accurately described as "client selection". There is a niche of insecure file transfers to be filled though. For example, I sometimes send images to people via imgur, which is completely insecure, but sometimes I'm sending images and I don't care if other people can see them.

That is a very different kind of security issue than one that allows an attacker to control a device, which is the sort that I meant when I said that using an intermediate server doesn't open up security holes.

"Uploading something to a server just to share it with someone standing near you is ridiculous."

It is ridiculous from the technical point of view. It is ingenious for the users. I am sure that the question 'what else do we consider splurging' is the one that could uncover a lot of innovative uses of technology.

http://blog.tomaskafka.com/what-do-we-consider-splurging

If I have already selected the photos I want to upload on my phone why would I want to use another device to complete the process?

NB: This is not trollfood and I am not a hater. I don't use an iphone so I may be missing something obvious.

This makes it easy to see what is on your iPhone on your computer.

It lets you authenticate without having to enter a username/password (less typing!) or having credential information already saved on that computer (which is a typical case if using someone else's computer.)

Why not just show a QR code on the screen and have the phone scan that. If it's been taking pictures, it can take one more :)
This photo upload thingy is an extension to http://bu.mp/ , phone to phone sharing service/app which is much better use case for the "bump technology".
Because almost every single use of QR codes I've seen has been a terrible UX mistake. They're unwieldy, slow and annoying.
And shaking your phone to whack your keyboard is great UX?
Yeah actually, it is. It's devilishly simple and has a physical action to represent the virtual action taking place.
I've had the exact opposite experience. When I want to give my phone number to someone, Android's "share via barcode" functionality is the most reliable way to do so. The people who need my info simply scan the QR code on my screen, and they instantly have a fully-populated contact entry for me. It works better than having them manually enter the information, emailing them something, or using NFC or Bluetooth.

Similarly, if you're at a new computer and you want your phone to authenticate that computer, the computer just needs to display a QR code that your phone scans. The phone then authenticates to the service, sends the token in the QR code, and the computer you're at is trusted. Even easier than bumping.

My first thought as well. Then I was wondering why the site wanted my geo location. So the obvious thing we missed is that you just open the site, bump with the app (and press spacebar simultaneously to sync) and you see photos from your phone on your computer.

I don't see how is this better than, for example, storing your photos into some dropbox-like service, but it is certainly a neat idea.

Whoever designed this page: this is a clever idea, the ideal goal (I assume) is for it to be spread around ("hey, did you see this neat photo uploader thing?") in which case why doesn't it link me to the app for download? I don't have bump, I want to try this idea... so I have to work out what the site url is and then go and find the app myself. Why not a "don't have bump? download here!" link?
"Hey did you see this photo uploader? I was trying to work/study and this dumb guy/girl behind me kept whacking their keyboard with an iphone. I asked her if something was wrong with her computer and she replied 'No, I am banging my keyboard with my phone so I can upload photos to a website.'"
Yeah, clever viral marketing (which is clearly working as we're talking about it here). I was a bit suspicious that they wanted to captured my geo location on that page too.
Bump works by correlating the time the "bump" occurs and the location of the bumps. Of course, tracking your location is an added benefit for someone that might care about that sort of thing.
I get that now after reading this thread. The problem is my first instinct was "why the hell does this website want my location?" when there was nothing on the page to explain why it was requesting this.
In addition the page doesn't really tell you what will happen or how it will work until you install Bump and try it out.
Totally irrelevant, but if you click on the Bump logo, it changes the background image.
They need to fire their UI team.

Wasting time on dumb features like that when the mobile app UI and constant nagging is like dragging your nails over sandpaper.

Might be less than optimal compared to something like iCloud, but it's a pretty awesome example of technology that looks like magic.

I'm thinking they're using both your phone and computer's location + timing of accelerometer activation and spacebar hit to identify the phone and computer being bumped together.

Very neat.

It could be key-down + key-up times to get two data-points for a match. The accelerometer would be able to compute the contact time.
You're half right, it's sockets + accelerometer. If you try hitting your phone against any hard surface and hitting the space bar at the same time it triggers the effect too. You can find the socket js in https://photos.bu.mp/static/js/bump.min.js

Space bar triggers POST (content:{"category":"Bump","action":"NoMatch","time":1334124838.48,"client_id":"a7g47710-e991-721f-8bb6-ea4013a22fb6","session_id":"1509c654180344aea5660a0349b0caaf"}).

This just very cool in a very nerdy sort of way. I kinda wish it was less gimmicky, on the other hand I assume bump uses the time stamps of the shake and the key down to figure out which two devices are trying to talk. I wonder what the threshold for collision is?

Anyway, very cool and I could actually see a use for this, sending photos of whiteboards to colleagues that don't run Mac/have an iPhone. Would have to compete with email/dropbox for ease of use, but it does seem very simple on the receiving end, just surfing to a web page.

It's also using HTML5 browser location to narrow that tap down to a fairly small area. Pretty neat idea.
Yeah, that's true. I thought I wrote that as well but seems I erased it :) From experience, the accuracy on my browser location can be quite low, but I guess if you have (x,y,t) on both devices and a relatively large distance in the vector between bumpers it really doesn't matter.
I didn't approve the request for browser location, and it still worked flawlessly.
How do you know what web page you are supposed to "surf to"?
I was thinking in the case I'm standing next to him and just want to give him the file (I just photographed a whiteboard, for example). There's a ton of different, valid ways to send that file, but this is certainly one.
Bump is known for their ingenious methods of relating lots of data to figure out which two phones were being bumped at the same time (there's a really cool answer on Quora about how they do it). I would assume this is their tech team figuring out how to apply the same techniques across two devices (browser/pc -> phone). I bet there is some really cool stuff at play here.
This is exactly why it feels so sexy. I took some courses in sensor fusion at university, and this is a very cool distributed application. Being able to create reliable "Bump-distance" vectors given all the variance with a distributed clock (though they seem to push the clock to the client in the browser), and with the position given by the browser etc. Very cool.
I can see how this would work well in isolated environments (at home or maybe work), but how would it perform if I was in a crowded area with lots of others using bump. My guess is experience would be miserable.
(comment deleted)
This is brilliant! I guess the next step of photo sharing is to it more FUN. I assume that when I tab on my phone, the client feels the shake and uploads the photo to Bump, and at the same time the browser gets the space keystroke from the keyboard so it would send the location and time to server, which would then match the photo that was uploaded with the best location and time. Matching/guessing the timestamp here is more important than location here I guess.
The idea seems novel, but I can't bring myself to download the thing in the off chance I might want to upload photos but I'm nowhere near my computer, or any computer for that matter. Besides that, the page lacks any kind of "Download here" link. I'm sure I could find it on the app store, but I appreciate the added convenience.
been using this since it hit its very early stage beta a few months ago ... all I can say is it is awesome ... truly wonderful when I need to pull a ton of pics off my phone
Wow! Are you patenting this idea? I just thought of, like, one hundred uses for this same idea. So fast. Wow. Mind blown.
Is this a joke / commentary on patent law or are you genuinely enthused?
It's my genuine reaction. I really thought this is super cool and innovative.
I was about to write that there was an app for sharing between phones that used "bumping" but when I searched for the name... it's the same app :)
Whoa! Just "bumped" into somebody else while testing this out. http://twitpic.com/98efxf

Gimmick?

Slightly disturbing that you don't get any confirmation to share on the mobile side, it just sends your data off to whoever it matched with immediately :-/

Generally very cool experience but I wonder how well the matching algorithm will scale though. You can't be getting all that many bits of uniqueness out of a single key press and a vague bit of browser location data right?

I think it can scale by bumping more times (1-3 is ok for people and it will triple your space). But even with this, the non-geo-located (or poorly located) browser will become unusable by oh-so-many conflicts when you have certain amount of users using it.
If you think about it, it's a paradox. For this to be vaguely useful, lot of people must use it. When a lot of people start using it, the system breaks.

NFC to the rescue?

I wonder how often these types of collisions auctually occur.
This is cool. Something about the UX felt like magic- maybe it was the instantaneous response and the way my phone vibrated.

Anyway, can the devs make this more shareable? I wanted to share on Facebook but the FB-markup link looks very nondescript (bad title, no description text, crappy icon). So, I'm not going to share it. Some Twitter / FB links on the webpage would be great.

What is Bump's business model? The app is free. These services are free.
Acquire users and sell out to facebook/google? But yeah, this would be interesting to know.
Same as Fb or Twitter, collect user data and eventually have some great monatization idea. If nobody has a good idea, you can always put AdMob or something on it "this bump was sponsored by ..." something.

The idea is good, the best way so far to say "Bluetooth sucks".

Perhaps. I considered this, but Bump data isn't exactly social.

Apparently they licensed their technology to Paypal to build their money-exchanging app. Maybe that's the plan.

anyone have a video of how this works ?
From what I have read it seems you need to have geolocation turned on in your browser and iphone.

Have I been hiding under a tinfoil hat for so long that I am completely out of touch with the world? Do most HN readers have these on by default?

(comment deleted)
I just tried with geolocation on my phone, and off in my browser, and it worked perfectly.

I tend to pick and choose on an app-by-app basis.

Same here, I tend to stay away from geolocation as often as possible (obvious exception is google maps on my phone)
With an IP address(I doubt most people surf with TOR all the time), system time(Comparing time-zone data), language settings, and the myriad of other data given away a person can get ~close enough~. Even then, if you don't want to use the app don't allow it to send/recieve GeoData easy enough.
Make it a platform and instantly solve one of the biggest hurdles in user-content sites.
I have been waiting all this time for Bump to be useful. It is finally useful, and I am happy.
Had bump on my phone for nearly three years now. Have used it exactly three times. This time being the third one. It was impressive, and I'll likely show someone this tomorrow.
Since the topic has come up, one way to reduce collisions with all geolocation turned off would be to request the user tap a certain key (or even two keys in succession) with the phone instead of just the space bar.
Or presumably tap the spacebar twice (or more) - giving an interval for matching - which would avoid having to consider key positions and mishits and alternate keyboards and such.
Or better yet, tap out your Bump login and password with the phone!
They should have put a css transition in there so that the photo 'falls out' of the top of the screen when loading
I think this could be a cool hook to expand past photo uploads and be a full ios management tool. Give me a web interface to manage my bookmarks, sms messages, contacts, photos, notes, app third party data, etc.. - You could essentially create a web based ios/android manager. Something like http://www.ecamm.com/mac/phoneview/ but from the browser.

Keep in mind, all of the above exists already. Its just the elegant method of not having to put a PIN on both the phone + browser doesnt. Cool logon method.

Cool logon method.

An insecure login method does not a cool one make.

Want to build magic like this into your own iOS or Android app? Try out our brand new, super fast APIs:

https://github.com/bumptech/bump-api-ios

https://github.com/bumptech/bump-api-android

Email me if you have any questions: tg@bu.mp

Some feedback: I just filled out my virtual card with my contact info, and suddenly got an email from you guys in my inbox. I didn't sign up for an account or anything.

IMO this is pretty shitty - I put this information into the app to send to other people, not so Bump can email me. And now I feel iffy putting other data into the app - Bump is not strictly the data exchange platform I thought it was.

This is a violation of user trust - if you want to store/act on any information users put into the app you need to let them know first.

This really, really rubbed me the wrong way - this is the first time any app of mine has ever intercepted a form field, sent it to the mothership without my consent, and used the data in a way that was never stated nor implied. App deleted.

[edit] Oh hey look, the email addressed me by the name I put into the vCard. I guess now you have my phone number too.

You are aware that your email address is currency on the Internet, right, and that people are going to design all sorts of honeypots to get it?
Thanks for the warning. I'm really wary of companies that don't understand basic issues like this.
We are a cloud based solution that takes privacy very seriously. We do not share your personal information with people or services you don't want. Our privacy policy is available both in the app and online: http://bu.mp/privacy
>We do not share your personal information with people or services you don't want.

Clearly that's incorrect, because the complainer didn't want you to have his personal information.

Also the statement "We may use your Personal Information as we believe to be necessary or appropriate in any manner permitted under applicable law, including laws outside your country of residence" clearly gives you the right to sell his personal information to anyone.

Isn't it kind of a given that when you give your email address to a service, that you are allowing that service to contact you?

Otherwise what's the point of having the address?

I haven't used this app but I think the parent had expected that the data he entered would be confined to the application, not sent to the app developer. Simple analogy: Would you expect Microsoft to harvest every e-mail address you enter into Outlook?
Outlook is an application, not a web connected service, though. If I enter my email address when signing up for, say, Office Live, I'd expect to see a Microsoft email in my inbox every now and then.
Would you expect Google to send emails to people whose addresses have been entered into Gmail?
No, but that's not what happened here. You filled out your personal card which will be shared out with everyone you "bump" with. I haven't used the app, but I'd assume this fills some kind of registration function.
Bump emailed the guy that used their service. Your stretching the analogy a bit much.
I hope you realize that this response completely fails to address his complaint.
"Please try again. Bump works better if you enable location on your browser."

Seems like bump works better without enabling location, maybe because I prefer it to fail rather than to spy on me. Talk about not failing gracefully.

Bump actually does need the location, because it's important to filtering all the requests they get. It could certainly be abused, but unlike most other apps that ask your location bump actually needs it.
Here's some feedback : tapping the spacebar with the phone? That's dumb. Why? I have to hit hard for the "bump" to happen. But that's not really a problem since hitting a keyboard with a cellphone makes no sense. Consider another scenario :

a) The user clicks somewhere (or vocal command?) to enter a listening state.

b) Then he shakes his phone.

But then you lose the thing that "magically" links the phone to the computer, i.e the simultaneous record of the event occurence.