Our friends over at Blogoscoped, Philipp Lenssen and Tony Ruscoe, figured out the gallery # and account name for our security contest. They haven’t (yet?) managed to get the actual image. They’ve declined the $1000 bounty, but I’ve offered to donate the same amount, in their name, to the charity of their choice. Still waiting to hear back.
Tim Gosselin, on the other hand, managed to find a way to get a smaller version of the 3Mpix image. Kudos to Tim – clever hack.
Both bugs have already been fixed, I believe, and no-one has managed to get the original image thus far.
I’ve had to lower the bounty amount to $599.99 to avoid tax complications, but both Blogoscoped and Tim will be getting the full amount (or donating it or whatever they choose to do).
The contest is still on, so if you’d like to help us tighten our security, give it a shot. 🙂
Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking. 🙂
First, a chance to strike it rich: I’ll give
$1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.
Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:
- Your private photos are still private. Your secure photos are still secure. Note that there is a difference – this is an important distinction.
- If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
- Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up – like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
- When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
- While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
- “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
- Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?
Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo – and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.
Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry – but that doesn’t mean we can’t do better.
Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.
To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing – making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share – just a URL. Only people you’ve shared this URL with can find those photos – with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:
- It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
- We offer *lots* of additional options to make this impossible should you want to. This is key – we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.
Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs – a very expensive proposition – except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me. 🙂
In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.
After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.
It’s their own fault.
Recently, I had the pleasure of being interviewed for a front page story at the LA Times and a feature spread in BusinessWeek. I have a huge amount of respect for both publications, and was honored to be interviewed. And the interviews themselves didn’t disappoint – both reporters were extremely thorough, knowledgeable, and detailed. There were lots of follow-up calls, and both stories were then exhaustively fact checked and reviewed by an army of editors. Everything top-notch publications are supposed to do, they did, and then some.
Blogging has become my go-to resource for up-to-the-minute news, but both these interviews really brought home for me why traditional media continues to be so much better at well-researched pieces. So great, right? They each have a business niche. Traditional media can focus on deeply researched articles and exposés while bloggers cover all the timely news and commentary. Traditional media can still thrive – it’s not gonna die.
Where these august publications fell down was in their online presentation. Someone running these businesses hasn’t figured out that their online business model is advertising. They’ve made it impossible to link to their articles directly (ie, drive money-making traffic to them). On the LA Times’ site, nearly every link you can find forces you to log in to view the content. Lots of people have told me, personally, that they couldn’t read the article because they weren’t going to sign in. Imagine how many people don’t know me or simply didn’t speak up and just walked away.
And BusinessWeek is far, far worse. BusinessWeek actually asked us specifically *not* to link to the article. Yes, that’s right, an ad-driven publication doesn’t want us to drive traffic to them. They were kind enough to point us to their User Agreement where, sure enough, they prohibit deep linking. Talk about stupid. Ok, fine, so I’ll link to Google (who’s apparently allowed to deep-link?) and they’ll link you to the article for me. Like so – this link behaves like a deep-link, but in reality I’m linking to Google, who’s redirecting you to the article. (Ironically, this is nerfing BusinessWeek’s PageRank so they show up lower in Google than other publications that allow deep-linking).
I can’t imagine what must be going through the minds of the stellar reporters and editors they have at the LA Times and BusinessWeek, but I’ll bet “frustration” is only the very tip of the iceberg. To spend all of this time and energy on their articles, only to have the crazy business people make it impossible for people to read their work, must be incredibly trying.
On a related note, try clicking the ‘Digg This’ icon at the end of the LA Times story. You’d think this would be a smart way to drive traffic, no? It would be, except they’re sending digg *Page 2* of the story – so even if it makes Digg’s homepage, people clicking through will start in the middle of the story, instead of the beginning. I’ll bet that makes the LA Times a lot of money. Not.
After doing these stories, I’m more likely than ever before to trust stories from publications like the LA Times and BusinessWeek – but less likely to link to them.
Feed readers: Click here to digg this.
I’ve been getting a little flack for not joining DataPortability.org and want to set the record straight:
- SmugMug has believed since the beginning that your photos and metatdata are yours to do with what you will. We view them as being on loan to us for safekeeping, and we take that role very seriously.
- SmugMug has emailed DataPortability to see about joining, contributing, whatever. No response. Don’t ask me why – ask them. I imagine they’re busy.
- SmugMug already supports OpenID (and better support is coming), XFN & FOAF, RSS, Atom & KML, and has a rich API to both store and retrieve your data.
- We’re committed to all of the ideals that DataPortability.org is pushing, and hope to see this stuff become the rule, rather than the exception.
While I’m on my soapbox, I think it’s important to note that many of the participants in the DataPortability project have been making their data portable for many years. I’m not sure why the media is trumpeting each new company that joins as if it’s just gotten religion, but companies like Flickr and SixApart (and us) have been doing more than talking about this for a long time. Give credit where credit is due.
Anyway, whenever we figure out how we can contribute, we will. We love the idea of our customers’ data being portable. It’s the right thing to do.
Over on IEBlog and A List Apart, they detail a new flag for the upcoming IE8 that would enable you to “lock” the browser down to older versions should you be expecting older broken behavior from IE6 or IE7.
This is a bad idea. The Safari team has a great write-up about why they think it’s a bad idea, which I agree with, but I also have an additional take:
Pages and sites that are likely to care about this are poorly written and poorly maintained. Microsoft created this problem themselves when they let IE6 sit idle for more than half a decade, and now they have to deal with it. Instead of letting someone flag their site as being broken (that’s what they’re doing), why shouldn’t they finally force them to fix their site and improve the browsing experience for everyone (not to mention improve the stability, speed, and maintainability of their codebase)?
If someone owned a car, but didn’t know how to drive it properly, would we bend the driving laws to let them on the road? Of course not. Some reasonable adherence to standards and moving things forward is the only thing keeping the web browser mess from descending into pure chaos.
Laura Thomson has an interesting post about the MySQL acquisition. And I think it really highlights a fundamental disconnect that some companies built on providing open source applications for enterprises face:
Their means of getting revenue are at odds with their customers’ needs.
I’m a paying MySQL Enterprise Platinum customer, and I’m seriously considering not renewing for another year if Laura’s thoughts are on target. In a nutshell, here’s why:
In fact, as I mentioned already, I probably wouldn’t pay for MySQL as it stands today. I paid for it in the hopes that, as a paying customer, my feedback that these patches (and others like them) are vital would be listened to. Thus far, it hasn’t.
I could care less about MySQL’s desire to keep their released, supported software dual-licensed (commercial and GPL). I don’t consider our Enterprise subscription to be for the software – mentally, I’m paying for service and support. And the support (fixing InnoDB’s concurrency problems) is increasingly at odds with the business (releasing a commerical binary-only Enterprise release). But they’re on a collision course – I’m not the only one who will stop paying for it, resulting in damage to MySQL’s business.
I believe the right (and admittedly scary) thing to do is provide paid support for the GPL’d version and move the ball forward – accept community patches that fix major problems.
You can bet that I’ll be telling Sun this, over and over again. Since they have a history of listening, I’m optimistic.
(BTW, this problem isn’t unique to MySQL. Red Hat has the same dilemma – and they won’t take my money, no matter how hard I try to throw it their way)
Maybe MySQL will finally start fixing all the performance/concurrency issues with InnoDB (basically, InnoDB’s threading and concurrency aren’t working well with modern multi-core CPUs). Google’s had some fabulous patches for awhile, and the brilliant Yasufumi Kinoshita does as well, but they don’t seem to be making their way into MySQL anytime soon.
Personally, I worry they’re focused too much on Falcon and not enough on InnoDB – but luckily Sun listens, so that may change. 🙂