Sûnnet Beskerming is out with a blog post claiming that we left some privacy holes open with our new scheme. I’m almost 100% positive we did leave some holes open, because this is a new release and we’re bound to have bugs, but they’re just dead wrong about this one. They clearly have an axe to grind (they would like us to hire them, and sound like they’re now pissed that we haven’t).
Since their original post, we’ve been tossing around the idea of hiring someone to periodically review our security & privacy policies/implementation, and they were on the list for consideration. It looks like we probably will hire someone, but given how poorly researched this new article is, it’s clearly not going to be them. I’ll bet we end up going with the brilliant experts over at OmniTI instead.
They made two bad assumptions:
- They somehow assume just because you know the ImageID and ImageKey, you can get the Original image. As all of our customers know, we let them lock down the Original so that no-one can get it.
- They then went on to explain that you could see a photo without providing the proper ImageKey simply by using an ImageKey from another photo in lightBox. Um, no. Apparently the concept of grandfathering older photos is beyond their comprehension. Our customers understood and appreciated it, but this so-called security firm doesn’t. Go figure.
Craziest part of this whole thing is that they chose to blog about their ignorance instead of just emailing us. We could have politely and privately researched the issue, discovered that things were working as designed, and set them straight. Instead they felt like they had to publicly attack and damage our business with a poorly researched story. (Nice way to drum up business, guys. Attack your potential customer AND get it wrong!)
To be clear: If you try their so-called exploit on a ‘new’ photo or video (one uploaded after our privacy changes on February 8th), it just won’t work. If you try it on an ‘old’ photo or video, it will – just like we designed it.
currently adding just added a little logic to change that behavior so that other people who jump to conclusions with no basis in fact will get an error, rather than silently working.
We’re also certainly not claiming our site is perfectly secure (and I can’t imagine we ever will). We think it’s *very* secure, but we’re still combing through all the dark corners of our codebase looking for areas where we can tighten things up. We still haven’t totally fixed a few of the issues brought up during our contest, even, though I can assure you we’re working on them. I’m sure we’ll continue to find more things, and that the community will as well.
Speaking of our wonderful community, now that our release is out and tested, we’re starting to pay the security bounties. Those of you who reported issues should have gotten, or will shortly be getting, an email from Markham. A few people refused their winnings, and refused to even let us donate to any charities in their name, so we’re donating the bounties to a charity of our choice instead.
I told you we’d listen.
After Philipp brought the issue up, we carefully listened to both our current customers and our potential would-be customers. Our current customers were a mixed bag. Luckily, most didn’t care one way or the other. Of those who did care, many didn’t want this change. 😦 But it was clear that lots of potential customers did. And as I said in my initial post, “Philipp is absolutely right.”
So we fixed the problem.
We made two big mistakes with this situation, one technical and one around setting user expectations. I was dumb for using autoincrement IDs alone, and we were dumb for calling the gallery setting ‘Private’ when that wasn’t clear enough. “Private” means different things to different people, and we should have known better. Both of these things, I believe, have now been remedied.
Here are the gory details and we have a dgrin thread with more:
- Your new galleries, photos, and videos are more private, and secure, than ever before.
- GUIDs did turn out to be both messy and expensive, as I thought they would be. We opted not to go that route.
- Instead, we created Keys for galleries and photos/videos and appended them to the relevant URLs. Kudos to Barnabus for planting this seed.
- The keys are made of 57 possible alphanumeric characters, and are 5 characters long, making the search space 57^5, or 601,692,057, strong. In theory, still guessable, but in practice, prohibitively expensive/difficult to do. Not to mention the fact that you have all the usual additional security and privacy settings you can turn on.
- Yes, this made our permalinks uglier. No, we’re not happy about it. But we think the tradeoff is worth it.
- Yes, older galleries and photos/videos are grandfathered. Their old URLs without the Keys still work. All new photos/videos, as well as old photos/videos inside of new galleries, require Keys to access. Same with new galleries.
- If you don’t want your older stuff grandfathered, simply create a new gallery and move your photos & videos from your old gallery into the new one. Key’d links will instantly be required for access (if you change your mind, just move them back and they’ll be re-grandfathered). Alternatively, you can set a password and turn off external links.
- The privacy options when creating a gallery and changing a gallery’s setting now use “Public” and “Unlisted” rather than “Public” and “Private” to better explain the difference and match customer expectations.
- When creating a new gallery, there’s a new option called “Lock it down” that’ll take things a step further and set all the right privacy *and* security settings to prevent unwanted access.
- This is a big, complicated release, so there will likely be bugs and bumps along the way. Let us know if you find any and I promise we’ll fix them.
I’m sorry this change took so long to ship. We were actually in testing last Thursday, January 31st, but then I was traveling from Friday to Wednesday, so we had to put it off. Thanks for your patience while we thought about the problem, discussed it with our community, and put together an update.
Special thanks to our customers and friends who weighed in with lots of detail both about the problem and the implementation, and Philipp for being so passionate and firm about the situation.
We’d love to hear your thoughts about this either here in the comments or over on this dgrin thread.
Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking. 🙂
First, a chance to strike it rich: I’ll give
$1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.
Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:
- Your private photos are still private. Your secure photos are still secure. Note that there is a difference – this is an important distinction.
- If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
- Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up – like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
- When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
- While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
- “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
- Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?
Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo – and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.
Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry – but that doesn’t mean we can’t do better.
Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.
To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.
When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing – making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share – just a URL. Only people you’ve shared this URL with can find those photos – with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.
Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:
- It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
- We offer *lots* of additional options to make this impossible should you want to. This is key – we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.
Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs – a very expensive proposition – except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me. 🙂
In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.
After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.