When even USB drives compromise your privacy on OS X -- valli.me

When even USB drives compromise your privacy on OS X

... aka. "why didn't anyone tell me anything about this before?"

What I did

So I bought a shiny new thumbdrive today. I, of course, plugged it into my Mac (10.6.4) and reformatted it to remove those annoying Windows-Tools/CDFS partitions some manufacturers place on the newer devices. Everything went ok, so I cd'ed to the mounted volume. Nothing unusual there:

valli@cartman:/Volumes/USB1$ l
drwxrwxrwx  1 valli  staff   4.0K Oct 28 21:32 .Spotlight-V100
drwxrwxrwx@ 1 valli  staff   4.0K Oct 28 21:32 .Trashes
-rwxrwxrwx  1 valli  staff   4.0K Oct 28 21:32 ._.Trashes
drwxrwxrwx  1 valli  staff   4.0K Oct 28 21:32 .fseventsd

..."just" those (more or less) annoying OS-X specific files and directories that get created every time you plug the drive in (unless you've taken special countermeasures BEFORE!).
Since I originally bought the stick in order to do some USB-hackery (nothing too fancy, but that's not my topic here), so without to much thought going into it, I went ahead and did a hexdump -C /dev/disk1 (which, of course, is my thumbdrive). I quickly did a CTRL+C since most of it was binary stuff (duh!).

What happened

I briefly scrolled through the output and stumbled upon some line which brought me to wonder: how did those information get there? I didn't explicitly put them there, nor do I need/want them there.
At around 0x007ef970 it started: There was my full name and my <email@addresse>, a the corresponding message id, the message subject. Another occurrence of he same type at 0x007f2e90: yet another e-mail. Altogether about five to ten, which I will not paste here, for the sake of my own privacy :-). Some other stuff I found, that does not need to be there:

valli@cartman:/$ hexdump -C /dev/disk1
007efd50  00 02 d0 00 00 00 0e 00  00 00 50 68 69 6c 69 70  |..........Philip|		// my current screen
007efd60  73 20 32 32 30 57 53 00  0c 00 00 02 3d 00 00 00  |s 220WS.....=...|
[...]
007f0110  0d 00 00 00 46 6f 74 6f  20 31 2e 6a 70 67 16 02  |....Foto 1.jpg..|		// some filename (many more of these, about 20 to 30)
[...]
007f1350  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.... .....}...Va|		// an email (obviously obscured :-)
007f1360  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |lentin......... |
007f1370  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |<valli@valli.me>|
007f1380  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |...Last night w.|
007f1390  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.as.great-lets m|
007f13a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |eet again but do|
007f13b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |n't tell your.wi|
007f13c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |fe about that xo|
007f13d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |xoxo....message:|
007f13e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |%3CE6123175-123C|
007f13f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |-4852-8DC8-7123C|
007f1400  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |89C71EF@valli.me|

How to avoid

There are, indeed, some ways to keep Spotlight from doing those things to your drives, but those are not always applicable (think "SMB share" etc.):

Have a file called .metadata_never_index on the drive BEFORE sticking it into your Mac (or mounting it).
This will at least avoid Spotlight from doing weird stuff to your drive.
Dig deeper into the system and add your own launchd script to keep specific drives away from Spotlight.
Adding the drive in System Preferences > Spotlight under the "Privacy" tab will NOT work, since Spotlight has long written its (your!) data to the drive before you can add it there. The data will (probably?!) be removed, but not overwritten. Which is bad.
man mdutil(1)

Me

Thanks for reading! Please, someone tell Apple! Feel free to contact me if you have anything to add, typos, mistakes, flames, love (I prefer IRC ;-).

Oh, by the way: this is free information.