All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com
Thank you for purchasing through links and ads on this site.
OWC / MacSales.com...
diglloyd Deal Finder...
Buy other stuff at Amazon.com...
Upgrade the memory of your 2018 Mac mini up to 64GB
128GB Memory in iMac 5K

Up to 128GB for 2019 iMac 5K!
Up to 64GB for 2015/2017 iMac 5K

Save nearly 50% over Apple pricing

Spotlight Builds in a Feature Spammers Could Only Dream About

How would you like it if every spam email you received reports your IP address back to the spammer who sent it? Even if you never see the email, never open it, never view it?

That’s apparently what Apple’s Spotlight does at present. More Apple Core Rot, but this time with a security/privacy twist. Macworld Magazine reports:

OS X Spotlight Search glitch can expose private details of Apple Mail users

At the moment, the only way to work around the issue seems to be to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown.

This is just plain sloppy engineering by Apple. With a fixed release schedule, not a little manure has to get shoveled out along with the hay. Where is the security review team in all this (is there one?).

The workaround is a disaster: MPG uses search within mail many times a day and receives dozens of emails from spammers a day. So either no search, or let the spammers have a field day/week/month until Apple gets it sh*t together.

Update: Possible Work-Around for Spotlight Privacy/Security bug of Indexing Spam Email.

Update 2: the scope of the issue may well be less than MPG originally understood. MPG understood the issue as happening with indexing, but it might actually be restricted to when searching (by the user) actually occurs and previews are shown. If so , the scope of the issue is much reduced, and we can all breath a lot easier. Still, the bug should be fixed, because searching by its nature pulls in just about everything. So the workaround above still has some value in sidestepping the issue.

...

Virtually all users have Spotlight indexing their mail. And because junk mail has things like tiny hidden images (you can’t see ’em), when loaded, every spam receive reports the computer’s IP address back to the spammer, telling the spammer you are a “live one”. Spammers might think they’ve died and gone to spammer heaven in terms of culling email lists for known-good emails.

But it’s not just spammers: consider for example that any forwarded or replied-to email would let the orginal sender know just what IP addresses it landed at, even if never opened or viewed (because of Spotlight loading images while indexing). That’s nasty. For security in government and corporations, this gets interesting. There may be other unforseen implications as well. In MPG’s view, this bug ought to be a top priority fix, or Apple is in effect an accessory to unsavory actors.

The serious bugs, and degraded usability in the past few OS releases are seeing a rising tide of criticism, but MPG posted Apple Core Rot a year ago, after watching it rot develop for 2-3 years prior. MPG’s view is that good judgment is in very short supply at Apple these days. This is not a bug out of the blue; a good software engineering team needs a core set of experienced engineers skilled in security and privacy issues. Someone had to write that code to load those images in emails. This and many other recent issues show slipshod software development practices extant today at Apple.

Tim Cook has emphasized how much Apple values your privacy, but can he be taken seriously when this kind of sloppy engineering is happening on his watch? Big flashy statements are easy to make. But engineering an operating system to deliver on promises requires sober thought and experienced judgment.

See also:


MacPerformanceGuide.com
B&H Deal ZoneDeals by Brand/Category/Savings
Deals expire in 3 hours unless noted. Certain deals may last longer.
$35 SAVE $115 = 76.0% Lowepro DroneGuard CS 400 in Video: Drones
$2797 SAVE $600 = 17.0% $246 FREE ITEMS Nikon Z 7 Mirrorless in Cameras: Mirrorless
$2798 SAVE $400 = 12.0% Sony a7R III Mirrorless in Cameras: Mirrorless
$3498 SAVE $1000 = 22.0% Sony a9 Mirrorless in Cameras: Mirrorless
$898 SAVE $100 = 10.0% $161 FREE ITEMS Sony DSC-RX100 VA in Cameras: Point and Shoot
$1879 SAVE $1071 = 36.0% ZEISS 15mm f/2.8 Distagon T* ZE in Lenses: DSLR

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | Twitter
Copyright © 2019 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__