First two security winners
Our friends over at Blogoscoped, Philipp Lenssen and Tony Ruscoe, figured out the gallery # and account name for our security contest. They haven’t (yet?) managed to get the actual image. They’ve declined the $1000 bounty, but I’ve offered to donate the same amount, in their name, to the charity of their choice. Still waiting to hear back.
Tim Gosselin, on the other hand, managed to find a way to get a smaller version of the 3Mpix image. Kudos to Tim – clever hack.
Both bugs have already been fixed, I believe, and no-one has managed to get the original image thus far.
I’ve had to lower the bounty amount to $599.99 to avoid tax complications, but both Blogoscoped and Tim will be getting the full amount (or donating it or whatever they choose to do).
The contest is still on, so if you’d like to help us tighten our security, give it a shot. ๐
SmugMug's Don MacAskill 
Way to go Don !! Your an honorable man – keep up the good works !!
listen to learn , learn to listen..
keep chugging we’ll keep clapping :)-
As a newish member of smugmug, I’m a little troubled by this whole story. It’s like coming home to find that your house wasn’t broke into but the screen door has been ripped off and you get a feeling your not as secure as you thought.
What are the tax complications? I’m curious…
If you pay someone over $600 you have to send them an IRS form 1099 at the end of the year. For that you need their name, address, and SSN.
Since the bugs were fixed, do we get a full disclosure on the methods they used? ๐
Cor
Yeah, I’m curious about the bug-fixes. Oh wait, I think I noticed the CNAME fix yesterday when I tried my Fusker script. That’s probably how they figured out the account name, right? I wonder how they found the gallery though if it was private. That’s a junkload of guessing, unless I suppose, you can find an adjacent photo’s public gallery ID and then make some more educated guesses.
Was the image ever actually viewable without hacks?
This is probably a bit off topic, but still relevant to the security vs privacy portion of this discussion:
http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html
Cheers,
A “medium” resolution image was viewable… and it was restricted to medium because the album settings had the largest size set to “medium” though I think the default for largest size on new albums is “original” and if the album was set to that, then the original resolution image would have been accessible.
If the largest size was set to “original” I also believe this would have bypassed the watermarking since the original is not watermarked. If someone else would like to confirm the watermarking issue, that would be nice.
The assumptions made about privacy and security are quite flawed.
I love SmugMug and Don’s blog a lot but it seems he is missing the point.
I’ll demonstrate by assuming there is one evil person in the world who hates SmugMug for being so cool and successful.
This person decides to spend his hard earned money to create a publicity nightmare.
Lets assume there are 1 Million real picture out of the 250 Million possible URL’s ( Number does not really matter).
He spends 500$ to get 100 servers from Amazon EC2 and use them for 2 days. Each server can send 50,000 HTTP requests per hour.
After 2 days the evil person knows exactly the links to the one million “private” pictures ( 50*50,000*100 = 250,000,000 ).
He needs to pay 10$ for bandwidth for the pictures ( 1M * 0.1MB * 0.0001$/MB).
The non existing links would cost 25$ ( 250,000,000 *0.0001$/MB *0.001
MB).
Total cost is 535$ to get all the pictures.
BTW, since SmugMug is using S3 bandwidth cost would probably be 0$ since bandwidth between S3 and EC2 is free ๐
In order to find the interesting ones he uses Amazon Mechanical Turk. He pays 0.01$ for 5 images classification ( a HIT ) so the total cost would be 2000$ (1M * 0.01$/ 5).
Now the evil hacker can post top 1000 photos in Flicker and get his evil wish fulfilled ( 2535$ cost )
To make matters worse, a cheap evil person can accomplish the same task with a zero cost, using JavaScript & open web sites.
So, I suggest SmugMug keep doing the great work they are doing, but also invest the time an effort to fix this issue.
The fact no one has complained so far, is just because the attack didn’t take place so far. Security through obscurity does not work in the long run.
It is a shame that one evil person can cause so much work and harm to so many good people, but that’s life.
Amazon would shut down such an attacker within hours!
to Ophir Kra-Oz:
Your scenario just describes how internet works… And if you consider that an attack, then Google is attacking alot of sites ๐
If you have content published on the web, then someone may obtain it and use it badly. That’s why we have laws: you can do a lot of things, but some of them are illegal or even a crime…
> If you have content published on the web, then
> someone may obtain it and use it badly. Thatโs
> why we have laws: you can do a lot of things,
> but some of them are illegal or even a crimeโฆ
Actually, here in Germany — not sure about the US — if you don’t lock your bike and someone takes it then there is no law against that taking… it’s not considered stealing, because no one needed to break a lock. Thankfully, that’s why people invented locks and normally use them (including locks on websites).
PS: On second thought, that bike thing may well have be an urban legend, I don’t know… I’m no lawyer, and I just know I always lock my bike ๐
Love it! You got me so excited to get one and start shooting video!