All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Upgrade the memory of your 2019 iMac up to 128GB
877-865-7002
Today’s Deal Zone Items... Handpicked deals...
$1399 $1199
SAVE $200

$120 $40
SAVE $80

$849 $599
SAVE $250

$610 $444
SAVE $165

$1299 $999
SAVE $300

$299 $169
SAVE $130

$2799 $2499
SAVE $300

$1499 $899
SAVE $600

$799 $639
SAVE $160

$1180 $1050
SAVE $130

$150 $90
SAVE $60

$2399 $2159
SAVE $240

$1999 $1799
SAVE $200

$1099 $929
SAVE $170

$220 $170
SAVE $50

$1199 $1079
SAVE $120

$599 $199
SAVE $400

$819 $649
SAVE $170

$348 $298
SAVE $50

$2799 $2149
SAVE $650

$750 $450
SAVE $300

$1099 $929
SAVE $170

$280 $225
SAVE $55

$1299 $1169
SAVE $130

$998 $498
SAVE $500

Spotlight Builds in a Feature Spammers Could Only Dream About

How would you like it if every spam email you received reports your IP address back to the spammer who sent it? Even if you never see the email, never open it, never view it?

That’s apparently what Apple’s Spotlight does at present. More Apple Core Rot, but this time with a security/privacy twist. Macworld Magazine reports:

OS X Spotlight Search glitch can expose private details of Apple Mail users

At the moment, the only way to work around the issue seems to be to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown.

This is just plain sloppy engineering by Apple. With a fixed release schedule, not a little manure has to get shoveled out along with the hay. Where is the security review team in all this (is there one?).

The workaround is a disaster: MPG uses search within mail many times a day and receives dozens of emails from spammers a day. So either no search, or let the spammers have a field day/week/month until Apple gets it sh*t together.

Update: Possible Work-Around for Spotlight Privacy/Security bug of Indexing Spam Email.

Update 2: the scope of the issue may well be less than MPG originally understood. MPG understood the issue as happening with indexing, but it might actually be restricted to when searching (by the user) actually occurs and previews are shown. If so , the scope of the issue is much reduced, and we can all breath a lot easier. Still, the bug should be fixed, because searching by its nature pulls in just about everything. So the workaround above still has some value in sidestepping the issue.

...

Virtually all users have Spotlight indexing their mail. And because junk mail has things like tiny hidden images (you can’t see ’em), when loaded, every spam receive reports the computer’s IP address back to the spammer, telling the spammer you are a “live one”. Spammers might think they’ve died and gone to spammer heaven in terms of culling email lists for known-good emails.

But it’s not just spammers: consider for example that any forwarded or replied-to email would let the orginal sender know just what IP addresses it landed at, even if never opened or viewed (because of Spotlight loading images while indexing). That’s nasty. For security in government and corporations, this gets interesting. There may be other unforseen implications as well. In MPG’s view, this bug ought to be a top priority fix, or Apple is in effect an accessory to unsavory actors.

The serious bugs, and degraded usability in the past few OS releases are seeing a rising tide of criticism, but MPG posted Apple Core Rot a year ago, after watching it rot develop for 2-3 years prior. MPG’s view is that good judgment is in very short supply at Apple these days. This is not a bug out of the blue; a good software engineering team needs a core set of experienced engineers skilled in security and privacy issues. Someone had to write that code to load those images in emails. This and many other recent issues show slipshod software development practices extant today at Apple.

Tim Cook has emphasized how much Apple values your privacy, but can he be taken seriously when this kind of sloppy engineering is happening on his watch? Big flashy statements are easy to make. But engineering an operating system to deliver on promises requires sober thought and experienced judgment.

See also:


Save the tax, we pay you back, instantly!
View all handpicked deals...

ezviz CV-200 Mini Plus 1080p Wi-Fi Camera with Night Vision & 16GB microSD Card (Black)
$120 $40
SAVE $80

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__