Posts Tagged ‘philipp lessen’

First two security winners

January 28, 2008 15 comments

Our friends over at Blogoscoped, Philipp Lenssen and Tony Ruscoe, figured out the gallery # and account name for our security contest. They haven’t (yet?) managed to get the actual image. They’ve declined the $1000 bounty, but I’ve offered to donate the same amount, in their name, to the charity of their choice. Still waiting to hear back.

Tim Gosselin, on the other hand, managed to find a way to get a smaller version of the 3Mpix image. Kudos to Tim – clever hack.

Both bugs have already been fixed, I believe, and no-one has managed to get the original image thus far.

I’ve had to lower the bounty amount to $599.99 to avoid tax complications, but both Blogoscoped and Tim will be getting the full amount (or donating it or whatever they choose to do).

The contest is still on, so if you’d like to help us tighten our security, give it a shot. 🙂

Your private photos are still private.

January 28, 2008 33 comments

Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking. 🙂

First, a chance to strike it rich: I’ll give $1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.

Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:

  • Your private photos are still private. Your secure photos are still secure. Note that there is a difference – this is an important distinction.
  • If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
  • Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up – like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
  • When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
  • While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
  • “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
  • Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?

Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo – and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.

Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry – but that doesn’t mean we can’t do better.

Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.

To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.

When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing – making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share – just a URL. Only people you’ve shared this URL with can find those photos – with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.

Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:

  • It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
  • We offer *lots* of additional options to make this impossible should you want to. This is key – we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.

Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs – a very expensive proposition – except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me. 🙂

In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.

After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.

Read more…

%d bloggers like this: