SmugMug's Don MacAskill

Sûnnet Beskerming is out with a blog post claiming that we left some privacy holes open with our new scheme. I’m almost 100% positive we did leave some holes open, because this is a new release and we’re bound to have bugs, but they’re just dead wrong about this one. They clearly have an axe to grind (they would like us to hire them, and sound like they’re now pissed that we haven’t).

Since their original post, we’ve been tossing around the idea of hiring someone to periodically review our security & privacy policies/implementation, and they were on the list for consideration. It looks like we probably will hire someone, but given how poorly researched this new article is, it’s clearly not going to be them. I’ll bet we end up going with the brilliant experts over at OmniTI instead.

They made two bad assumptions:

• They somehow assume just because you know the ImageID and ImageKey, you can get the Original image. As all of our customers know, we let them lock down the Original so that no-one can get it.
• They then went on to explain that you could see a photo without providing the proper ImageKey simply by using an ImageKey from another photo in lightBox. Um, no. Apparently the concept of grandfathering older photos is beyond their comprehension. Our customers understood and appreciated it, but this so-called security firm doesn’t. Go figure.

Craziest part of this whole thing is that they chose to blog about their ignorance instead of just emailing us. We could have politely and privately researched the issue, discovered that things were working as designed, and set them straight. Instead they felt like they had to publicly attack and damage our business with a poorly researched story. (Nice way to drum up business, guys. Attack your potential customer AND get it wrong!)

To be clear: If you try their so-called exploit on a ‘new’ photo or video (one uploaded after our privacy changes on February 8th), it just won’t work. If you try it on an ‘old’ photo or video, it will – just like we designed it.

We’re currently adding just added a little logic to change that behavior so that other people who jump to conclusions with no basis in fact will get an error, rather than silently working.

We’re also certainly not claiming our site is perfectly secure (and I can’t imagine we ever will). We think it’s *very* secure, but we’re still combing through all the dark corners of our codebase looking for areas where we can tighten things up. We still haven’t totally fixed a few of the issues brought up during our contest, even, though I can assure you we’re working on them. I’m sure we’ll continue to find more things, and that the community will as well.

Speaking of our wonderful community, now that our release is out and tested, we’re starting to pay the security bounties. Those of you who reported issues should have gotten, or will shortly be getting, an email from Markham. A few people refused their winnings, and refused to even let us donate to any charities in their name, so we’re donating the bounties to a charity of our choice instead.