
PA announcement
"Paging Mr Webster for comment duty, Mr Webster please report for comment duty"
Maybe we can get the "Nice" Webster like we did a few days ago.
Apple has inadvertently made it easy for spammers to create a database of MobileMe email addresses. The issue points to a future of more junk mail for Mac heads. They are already being targetted by MobileMe phishing scams. The email harvesting issue arises because every MobileMe user gets a public idisk file-sharing site. …
I know that Mac users generally feel that SPAM, Trojans and Virii happen to other people and, I'm sure, the OS is probably a lot more secure than windows (although I don’t know this for sure) but to (effectively) publish the email address of every user of this service is taking complacency a little too far?
i thought web crawlers worked by following links from one page to another and cataloging everything they see?
so for you to be able to use a web crawler to harvest all the usernames on the idisk, you'd need to have a page that lists every single idisk public folder? does such an index exist?
or do webcrawlers work differently and somehow can find the pages by themselves?
@Andy: whatever the iDisk address is, in my view it should not be possible to conclude the account name or email address from that. If I want friends and relatives to navigate to my shared folders, I will send them a link. And I want to decide who is allowed in. Is iDisk open to the world by default?
Note: I'm not a .mac user, and now I'm not sure I would want to be.
Read the full article (you too, El Reg !). It's not a crawler.
What this iDisk thing gives is a way of verifying a guess about a potential user name @mac.com. So you can generate a million possible address, then weed out the ones with no associated account easily.
The only reason I'd expect this to be worth the hassle is if Apple block IPs that send too much bounced email.
Earlier in the year el Reg was reporting on Apple's security folks deciding against patching a security hole in Safari because they didn't really think it mattered. On top of that Paypal blocked Apple's browser, IIRC, for being too insecure, and now MobileMe is sticking a big note on its users' backs saying "Spam me!". Not to mention the bundling of MobileMe into all new iTunes installs whether you use it or not, and attempting to get Safari downloaded onto people's PCs earlier in the year too - it all reeks of bloat and force-feeding people their different solutions and disregard for consumer choice.
They certainly make a shiny, easy-to-use OS on such limited amounts of hardware that it never has to worry about drivers or incompatibility, and I was practically convinced that I was going to buy one last year. Now, however, I'm starting to think Apple need to step back and rethink what they see their customers as, because if the answer is "numbers on our bank balance" then they're just going to get closer and closer to being the people they currently oppose.
I can only hope that's not the answer, and this year's problems are 'bumps in the road' as Apple get used to being popular and realise it isn't all about people worshipping you and feeding you money. We'll see, I guess...
With great power comes great responsibility! And a cool costume... But Jobs doesn't have one of those yet... His ego's already inflated enough as is, right? :D
Aetyr, Safari isn't blocked, it works and has worked.
Here's the quote from the WSJ you may have misread:
Update: We just spoke to PayPal. It seems we in the media are reading too much into this. It will block people using old browsers and old operating systems, but contrary to many reports it will not block Apple’s Safari browser.
As for harvesting MoblieMe addresses, this is HARDLY a new tactic, my old Mindspring account (Or before that, Netcom) over TEN years ago had my username in it, and was an easy way to figure out my email. You need to get your tech news from more than the Reg if that's what you're doing, their reporting is not somehow less flawed than others :) As for spam, from what I know of friends who have .mac/MobileMe the spam filtering is very good. Personally I don't use M-Me, have no use for it.
The ability of bot armies to spam all permutations of e-mail addresses in parallel makes pre-validation unnecessary. Many spamming bots are also aware of misconfigured/broken mail servers that will route undeliverable mail to a second e-mail address to double the odds of delivery.
I doubt Apple's WebDAV is implemented in a way that allows harvesting of unknown accounts. WebDAV is a resource hog even when used correctly. Allowing deep traversal from the top level would wipe out their servers in no time.
If there's going to be WebDAV abuse, it will be for illegal file sharing. Will Apple play whack-a-mole with everybody using "12345" as their password or will they do like Google and let an algorithm badly guess what account is being abused?
I'm presuming the accounts are setup something like this:
http://idisk.example.com/~username/ (I don't know the exact url) where username is also the email address for the user. simply scraping the internet for such urls would bypass the need for some form of an index of all the idisk accounts. However, it wouldn't surprise me if there is some form of an index somewhere as well.
Somebody has indeed been after .mac accounts for some time now. In the last 3 years I've gotten 5 or 6 password reset request emails from the .Mac system just out of the blue. The headers all say it is in fact from the .Mac system, so someone's been requesting resets on my account.
Oddly, I get almost no spam at all to my .Mac account.
"Well I get 10 x as much spam on my gmail account as I do on .mac - and I've never distributed the gmail address - so I say this is yet another bogus Apple security story. Sorry the sky isn't falling, yet again."
@ Andrew Rennard
I agree 100%. Wouldn't it be easier/faster to simply harvest email addresses by sending an email to every possible combination of characters @me.com, rather than setting up a bot to hit every possible combination of characters at the iDisk web address???
It may not be a crawler but one way it could work is just like a brute force password cracker. Starts with one character and adds more and more till it hits the right one.
On a side note maybe the real Webster was abucted by aliens which is why the new one is so nice. Dear god THEY KILLED WEBSTER. . .THOSE BASTARDS
Have to agree with the other users that actually have a MobileMe account, I've recieved 0 spam mails during my 1½ of having the service. Getting huge loads to my Gmail/Hotmail, it would be a lot easier to just spider the web for emails or simply guess the addresses than using the idisk folder for this.
Workers at an Apple Store in Towson, Maryland have voted to form a union, making them the first of the iGiant's retail staff to do so in the United States.
Out of 110 eligible voters, 65 employees voted in support of unionization versus 33 who voted against it. The organizing committee, known as the Coalition of Organized Retail Employees (CORE), has now filed to certify the results with America's National Labor Relations Board. Members joining this first-ever US Apple Store union will be represented by the International Association of Machinists and Aerospace Workers (IAM).
"I applaud the courage displayed by CORE members at the Apple store in Towson for achieving this historic victory," IAM's international president Robert Martinez Jr said in a statement on Saturday. "They made a huge sacrifice for thousands of Apple employees across the nation who had all eyes on this election."
Another day, another legal claim against Apple for deliberately throttling the performance of its iPhones to save battery power.
This latest case was brought by Justin Gutmann, who has asked the UK's Competition Appeal Tribunal (CAT) to approve a collective action that could allow as many as 25 million Brits to claim compensation from the American technology giant. He claims the iGiant secretly degraded their smartphones' performance to make the battery power last longer.
Apple may therefore have to cough up an eye-popping £768 million ($927 million), Gutmann's lawyers estimated, Bloomberg first reported this week.
Apple has introduced a game-changer into its upcoming iOS 16 for those who hate CAPTCHAs, in the form of a feature called Automatic Verification.
The feature does exactly what its name alludes to: automatically verifies devices and Apple ID accounts without any action from the user. When iOS 16 ships later this year, it will eliminate the frustrating requirement to select all the stops signs in a photo or decipher a string of characters.
The news was mentioned at Apple's 33rd annual Worldwide Developer Conference (WWDC) along with the usual slew of features designed to enhance the functionality of iPhones.
Not many people are talking about Apple's recent WWDC from an enterprise standpoint. But identity and machine management tool maker JumpCloud says a "shim" to connect "the login to the device through to the Safari browser" is a notable development.
JumpCloud provides identity services, which is why chief strategy officer Greg Keller zeroed in on the feature, which his company details further in its latest IT trends report.
The result, said Keller, was "an even more powerful login experience into these devices."
Analysis For all the pomp and circumstance surrounding Apple's move to homegrown silicon for Macs, the tech giant has admitted that the new M2 chip isn't quite the slam dunk that its predecessor was when compared to the latest from Apple's former CPU supplier, Intel.
During its WWDC 2022 keynote Monday, Apple focused its high-level sales pitch for the M2 on claims that the chip is much more power efficient than Intel's latest laptop CPUs. But while doing so, the iPhone maker admitted that Intel has it beat, at least for now, when it comes to CPU performance.
Apple laid this out clearly during the presentation when Johny Srouji, Apple's senior vice president of hardware technologies, said the M2's eight-core CPU will provide 87 percent of the peak performance of Intel's 12-core Core i7-1260P while using just a quarter of the rival chip's power.
A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.
That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.
In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.
Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.
US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions.
In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.
A woman in the US has been charged with murder after she allegedly tracked down her boyfriend using an Apple AirTag and ran him over after seeing him with another lady.
Gaylyn Morris, 26, found her partner Andre Smith, also 26, at Tilly’s Pub in an Indianapolis shopping mall with the help of the gadget in the early hours of June 3, it is claimed.
A witness said Morris had driven up to him in the parking lot and inquired whether Smith was in the bar, stating she had a GPS tracker that showed he was inside, according to an affidavit [PDF] by Detective Gregory Shue. Morris, the witness said, subsequently spotted Smith within the establishment.
The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.
"When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."
The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.
Apple's Intelligent Tracking Protection (ITP) in Safari has implemented privacy through forgetfulness, and the result is that users of Twitter may have to remind Safari of their preferences.
Apple's privacy technology has been designed to block third-party cookies in its Safari browser. But according to software developer Jeff Johnson, it keeps such a tight lid on browser-based storage that if the user hasn't visited Twitter for a week, ITP will delete user set preferences.
So instead of seeing "Latest Tweets" – a chronological timeline – Safari users returning to Twitter after seven days can expect to see Twitter's algorithmically curated tweets under its "Home" setting.
Biting the hand that feeds IT © 1998–2022