“While I was a fan of .Mac back when it was iTools, these days, I am less allured by its now pay-for services,” Jeff Smykil writes for Ars Technica.
“You are now hard-pressed to use Apple’s operating system without seeing some mention of the service. I dare say that the rise in popularity is most likely due to the presence of Apple retail stores and sales people asking just about anyone who makes a purchase if they would like .Mac with that,” Smykil writes.
“One of the more useful features of .Mac is the ability to access an iDisk from a browser [but] your iDisk might not be as secure as you’d like to think, and for a pretty stupid reason,” Smykil writes.
“According to one Slashdot reader, there is no way to log out of an iDisk in a browser, meaning that another user can access everything on your iDisk using the browser’s history feature. The individual is then apparently free to view and or delete your files. Not good. Not good at all,” Smykil writes.
More info in the full article here.
Like everything else in the world, iDisk security is vulnerable to good, old-fashioned stupidity. Any .Mac user who is the least bit concerned about the protection of their iDisk files can clear the History and delete the cookies. Should users have to go through this exercise? Certainly not! Does it represent a dire threat to the security of your data? Hardly!
For those who like to blame the victim, I’d like to remind you that every dotMac page/service has a logout button EXCEPT on your iDisk.
I can’t defend Apple in this situation. It is a dumb oversight which Apple needs to correct… yesterday!
That doesn’t relieve anyone from observing safe computing practices. However, time-outs and login/logout procedures should be consistent throughout all the dotMac services.
Yes, I am a subscriber.
I have not seen this behavior and I just tested it. It still prompts me to log in if I close the browser. Tried this in IE7 for Windows with no problems. Maybe it has something to do with my security settings, but I don’t believe this is correct.
If you are on a public or work computer, you should be deleting history and cookies when you log out anyway. But if this guy is right, it’s a big Apple blunder. Wouldn’t be the first time, but remember, how many blunders have their been on Apple’s side of the street vs. Microsoft?
fm
It is the same on the Apple store if you log into your account to buy something there is no place to logout.. You do have to quit your browser – Yes I agree that there should be a logout button..
@wannabe
Apple seriously needs to do something with .Mac. They are getting killed in the online service department by Google especially.
That may be true, but I’m not posting any of my pictures on Picasa anymore. I haven’t checked Google’s other services, but I will.
From Picasa’s “Terms of Service”:
11. Content licence from you
11.1 You retain copyright and any other rights you already hold in Content which you submit, post or display on or through, the Services. By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services. This licence is for the sole purpose of enabling Google to display, distribute and promote the Services and may be revoked for certain Services as defined in the Additional Terms of those Services.
11.2 You agree that this licence includes a right for Google to make such Content available to other companies, organizations or individuals with whom Google has relationships for the provision of syndicated services, and to use such Content in connection with the provision of those services.
11.3 You understand that Google, in performing the required technical steps to provide the Services to our users, may (a) transmit or distribute your Content over various public networks and in various media; and (b) make such changes to your Content as are necessary to conform and adapt that Content to the technical requirements of connecting networks, devices, services or media. You agree that this licence shall permit Google to take these actions.
11.4 You confirm and warrant to Google that you have all the rights, power and authority necessary to grant the above licence.
If you are using Safari on a different computer, public or borrowed, then you can use private browsing to prevent an entry to the history file from being created in the first place. Or, if you forget, you can delete entries from the history, or wipe it completely.
Apple still has some work to do to pull all of the MacOS X and application functionality together into a neat package that ‘just works.’ Even more mature apps, like iTunes and iPhoto need some help. You should be able to easily share those databases with other users/accounts on your computer without jumping through hoops. And you should be able to do so while still being able to protect the contents of the library to anyone without admin access.
I really hate the fact that so many websites require you to log in but have no way to log out. And just leaving their site doesn’t do it. This is so incompetent.
Hey, Jamie.
“I think there is a job for you at the UK Government, judging by the complete lack of encryption that goes on with our personal data.”
Sorry to hear that the UK Government has a problem along these regards. A government should never have these problems. But, I read about information losses everyday. We all need to stay informed, and do our part. A system is only as secure as it’s subsystems.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
Browser-based iDisk access uses HTTP authentication rather than the more common login screen that other .Mac services use. This difference is why this flaw is a concern. The browser does remember the login credentials, even after closing all open windows. Quitting the app (at least for Safari) solves the problem.
One other thing I forgot to mention…
Because webdav allows access control over your iDisk, .Mac allows an iDisk user to set the iDisk as write only i.e. you don’t have to worry about someone erasing your files via a web-browser, not even you can do it. I have to go home and access my iDisk from my Mac to delete stuff off my iDisk ’cause I set webdav up through the iDisk administration (Settings on the Mac as I recall) to be write only.
As we admin’s usually say: RTFM. Go out and read about webdav on, say, wikipedia before touting off miss-information.
Ok. Back to normal. iDisk isn’t as bad as some would portray – above.
Oh, yeah – the only thing I’m ever concerned with is using up my 300GByte per month transfer limit to/from my web pages, iDisk (the same thing, actually), etc. I allow my friends to utilize my Public iDisk space to transfer data to/from work (with the usual speech that I give them about double-encryption – see above) – so I monitor my monthly data-transfer amount to make sure I’m not getting hosed. Fortunately, even with sharing a bunch of mpeg4’s with friends, etc., the most I’ve used in 1 month has been slightly over 3.0GBytes of transfer quota. Not even close to my 300GByte per month allocation. Wish Apple would adopt a roll-over policy. Not likely, but it’s nice to dream…
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
…or you could just shoot the computer when you are through with it.
Well,
I’m a .mac fan. I love it. I think for $70- it’s a good service.
Bream Rockmetteller has it right.
You can’t access your iDisk thru a web browser in dotMac without logging in. When you close the iDisk window, you’re logged out of your iDisk.
This is a non-issue… unless you are stupid enough to have non-trustworthy people using your Mac and allow them access to your user account.
Show of hands on that one.
Anybody?
Didn’t think so.
Over $40 and I will use the less convenient, but free, features from many other providers including Google.
$29.95 is even better but my limit is $40.
It’s not the services; it’s just convenience with the integration.