On so-called 'holes' in our new privacy scheme
Sûnnet Beskerming is out with a blog post claiming that we left some privacy holes open with our new scheme. I’m almost 100% positive we did leave some holes open, because this is a new release and we’re bound to have bugs, but they’re just dead wrong about this one. They clearly have an axe to grind (they would like us to hire them, and sound like they’re now pissed that we haven’t).
Since their original post, we’ve been tossing around the idea of hiring someone to periodically review our security & privacy policies/implementation, and they were on the list for consideration. It looks like we probably will hire someone, but given how poorly researched this new article is, it’s clearly not going to be them. I’ll bet we end up going with the brilliant experts over at OmniTI instead.
They made two bad assumptions:
- They somehow assume just because you know the ImageID and ImageKey, you can get the Original image. As all of our customers know, we let them lock down the Original so that no-one can get it.
- They then went on to explain that you could see a photo without providing the proper ImageKey simply by using an ImageKey from another photo in lightBox. Um, no. Apparently the concept of grandfathering older photos is beyond their comprehension. Our customers understood and appreciated it, but this so-called security firm doesn’t. Go figure.
Craziest part of this whole thing is that they chose to blog about their ignorance instead of just emailing us. We could have politely and privately researched the issue, discovered that things were working as designed, and set them straight. Instead they felt like they had to publicly attack and damage our business with a poorly researched story. (Nice way to drum up business, guys. Attack your potential customer AND get it wrong!)
To be clear: If you try their so-called exploit on a ‘new’ photo or video (one uploaded after our privacy changes on February 8th), it just won’t work. If you try it on an ‘old’ photo or video, it will – just like we designed it.
We’re currently adding just added a little logic to change that behavior so that other people who jump to conclusions with no basis in fact will get an error, rather than silently working.
We’re also certainly not claiming our site is perfectly secure (and I can’t imagine we ever will). We think it’s *very* secure, but we’re still combing through all the dark corners of our codebase looking for areas where we can tighten things up. We still haven’t totally fixed a few of the issues brought up during our contest, even, though I can assure you we’re working on them. I’m sure we’ll continue to find more things, and that the community will as well.
Speaking of our wonderful community, now that our release is out and tested, we’re starting to pay the security bounties. Those of you who reported issues should have gotten, or will shortly be getting, an email from Markham. A few people refused their winnings, and refused to even let us donate to any charities in their name, so we’re donating the bounties to a charity of our choice instead.
SmugMug's Don MacAskill 
Hi Don —
I’m sure there are lemmings out there who leap at the opportunity to pile upon the latest “internet wrath” bandwagon, but I just wanted to assure you that not EVERYONE is as easily swayed by these attention seekers.
I have been a loyal smugmug user for a number of years now. While I appreciate the effort towards security. Please remember, these are photo’s, not my bank account. Personally, I use smugmug for the following reasons, please don’t lose sight of this:
1) Unlimited photo’s. No questions asked. Unlimited size. unlimited photo’s.. no nickel and diming
2) fair price for above referenced benefit
3) Able to easily hot link from other sites (forums, my homepage, etc).
I’m an IT consultant, with banking industry clients… But come monday when I log on to smugmug, I just want to show my friends what I did over the weekend 🙂
Don, the way you guys have handled all this is EXACTLY the reason I will strongly consider *paying* for your service where I could get something at least somewhat comparable for free. Great work to everyone who’s helped to address these security issues, even if most of them are benign anyway. Look to see me sending money your way sometime in the future.
The announcements of the bugs that allowed some images to be visible that were previously thought as privately protected gave me a reason to check a few things. I used my existing account to check a few of the issues that people raised and reported them to SmugMug. After they announced they had the holes plugged, I went back and checked 5 different bugs I had identified myself, and every single one had been plugged correctly. SmugMug’s response, I felt was in accordance to the issues as if they were critical to customers.
I have been very pleased with SmugMug’s response to these issues. I feel that these privacy issues were important but not critical as Doug points out. If I were selling photos online, and this was business for me, then it would probably rate more on the critical level. I have had a pro account since 2005 and I don’t see any reason why I would even CONSIDER discontinuing my account for several years (4+) to come.
I just wanted to say that I too am happy with the way you as a whole have handled this entire situation. I always understood what private meant but I do appreciate that there are people who didn’t and I think the new unlisted is great. I am also VERY happy that you grandfathered older images in so not to break links. People who want new features can make the appropriate adjustments.
I second what the first poster said in why I LOVE smugmug and try to tell everyone I meet how great it is and worth every penny. Thank you for all you do.
It seems Smugmug is always under some sort of R&D hack and whereas Flickr doesn’t seem to be in this at all – putting aside the issue of Beskerming wanting your biz. Does it mean Flickr’s security is more superior than Smugmug?
Will this make potential customers gradually shy away from Smugmug?
Re: John’s “Does this mean smugmug is less secure than Flickr” comment:
It may or may not be, but I think a lot of the reason you see it more is that Don “Fuels the fire” by responding, and actively participating in the “security hunt”. I personally view this as smugmug being MORE secure. Any company whom is willing to talk about their security measures in the open, and whom does not rely soley on security by obscurity scores security points in my book.
I just took a look at the blog section on flickr and there are no technical posts, only marketing blog posts. a quick search for ‘flickr security’ on google results in a few security risks on flickr. I can’t claim to follow flickr as closely as I follow smugmug, but my impression is that they probably have a similar number of potential flaws, but handle them differently.
Keep up the good work folks.
On a side note… If you think that anything you put on the internet is secure, think again. Somewhere, some admin has access to everything you put on the internet.. Yes, that means your bank account number, your social security number, everything. I have seen first hand the atrocious way that a number of reputable companies store your data, and its a joke. Have you ever been in the kitchen of your favorite “home style” mexican restaurant down the street?
Gordon Ramsey could do a show called “Hell’s Information Security policies”, and you’d be amazed. 95% of security measures in place on the internet are merely to keep honest people honest, and do not provide significant protection from a bad guy with enough motiviation. Don’t fool yourselves 🙂
Don, I am a IT Security professional, and I work in a SaaS environment as well. I have some comments here.
I did not join the witch hunt you wanted everyone to do because of ethical bounds and potential legal ramifications. That is besides the point.
As for the security firm, I couldn’t agree more. You have to worry about those types of firms “leaking” your name and results. Working for a company that also has independent audits performed, I would like to give some words of wisdom.
Have very strict NDA’s in place.
Have your attorneys review everything to make sure they can not leak your report.
Ask them questions about how they keep their networks secure (remember your dirty laundry is now on their systems). You would be suprised…
If they can’t manage their own network, don’t think they know how to tell you to manage yours.
Get a nice exec summary that you can release to potential clients who ask for it. Think twice before publishing the executive summary online.
Confine the space they can work within. No trojans, back doors, DOS, etc.
Give them time frames when your site is not busy in case they do cause harm or impact your site.
Get references and check them.
Change your vendor every two audit cycles. This keeps it independent and nobody gets time to “relax”.
Full disclosure: I do not work for any consulting firm, nor do I have ANY financial incentive with any consulting firms.
If you want to know more about my “pains”, contact me offline and I would be happy to talk with you.
Smugmug has set the standard in customer service and valuing the customer. I fired an internet service because they just didn’t measure up to Smugmug’s standards. Your ethics and fabulous treatment of your customers make me want to be a lifetime Smugmug customer!
Love it! You got me so excited to get one and start shooting video!