Change in SmugMug URLs for better privacy

245

Comments

  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited January 30, 2008
    olegos wrote:
    To those who think the current setup is fine and it's just a matter of terminology, consider this.

    Say I see someone's public vacation photos. I suspect that there may be more photos from there, that the person is sharing with their familiy, but not the world. So I write a quick script to go over URLs with IDs in that vicinity, and can even automatically pre-filter the results based on say EXIF info. How likely do you think I'm to discover photos I'm not supposed to be seing?

    I don't even need to search over the whole namespace, as Don's blog posts imply. If approximate time of the photos is known, the search space gets a lot smaller. Regardless of terminology, this is WRONG.


    Yeah, well, I just don't agree. If you want your images locked down, throw a password on the gallery. I like the way it works. Simple and keeps the stuff hidden. I don't always need a full lockdown. ne_nau.gif
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • joglejogle Registered Users Posts: 422 Major grins
    edited January 30, 2008
    cmason wrote:
    "unlisted' maybe parochial...makes sense to us Americans, but chances are they call 'unlisted' phone numbers something else in other parts of the world.

    just saying.....

    This is true. Unlisted phone numbers are called Restricted numbers here in New Zealand.
    jamesOgle photography
    [FONT=Arial, Helvetica, sans-serif]"The single most important component of a camera is the twelve inches behind it." -A.Adams[/FONT]
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited January 30, 2008
    jogle wrote:
    This is true. Unlisted phone numbers are called Restricted numbers here in New Zealand.

    it's commonly referred to as a "silent" number here in Australia, but I think that unlisted is going to get the message across.
    David Parry
    SmugMug API Developer
    My Photos
  • joglejogle Registered Users Posts: 422 Major grins
    edited January 30, 2008
    devbobo wrote:
    it's commonly referred to as a "silent" number here in Australia, but I think that unlisted is going to get the message across.

    True again, American tv is pervasive enough that I still knew exactly what Unlisted meant.
    jamesOgle photography
    [FONT=Arial, Helvetica, sans-serif]"The single most important component of a camera is the twelve inches behind it." -A.Adams[/FONT]
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited January 30, 2008
    How about Shy?

    :D
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • I SimoniusI Simonius Registered Users Posts: 1,034 Major grins
    edited January 30, 2008
    Baldy wrote:
    What if we were to add 6 characters--an underscore and 5 alpha-numeric characters to each URL? They would then end in something that looked like _hyqpb.jpg. That would mean up to 60,000,000 guesses per image.

    This would apply to images going forward, public or private. For the 250,000,000 images on the site now, in order to give them a new URL, you'd have to move them to a new gallery. The downside is their new URLs would break any links to them right now that you have in forums or blogs.

    Is this solution reasonable? If not, can you tell us why? Any other ideas?

    Does this fit your definition of privacy? I have an email in my box from a customer who loves us but is shocked that we would think any image that can be seen by any other person could be considered private. In other words, when he marks a gallery as private, giving the URL to a friend would not enable them to get into the gallery. Anyone else feel that it should work that way?

    Thanks for your feedback. We'd like to think this through and get it right but we don't want much time to pass either.

    Thanks,
    Baldy
    1- First and foremost change 'Private' to 'Hidden' or 'unlisted' - that clears up all the confusion

    next you can get on with increasing security at your leisure ( relatively speaking)

    2- put a gotcha meassage somewhere proniment as whenever anyone goes to link URL in established gallery they might then forget and update for privacy - remind to do other way round ( I know I'd forget)

    3- try the 5 alpha-numeric thingy on a test gallery for a while - it might go horribly wrong with unforseable things

    4- you will have lots of users who move to new galleries and lots that don't - can this cause any problems?

    5- oh nearly forgot - make it clear that if a gallery is REALLY to be 'private' then "here are the steps to follow", and make sure it is private i.e. make any changes necessary to give the requisit level of security to anything labbelled 'private' i.e. change current definition of private to mean 'pretty much totally secure short of giving it a secure server' ;-)

    all I can think of right now
    Veni-Vidi-Snappii
    ...pics..
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 30, 2008
    DavidTO wrote:
    Yeah, well, I just don't agree.
    Don't agree that what I've described is possible and doable, or don't agree that it's a big deal and needs to get fixed?
    If you want your images locked down, throw a password on the gallery.
    And don't forget to disable external links. By the way, being able to share galleries with my family by just sending them a link without a password, or requiring them to register for their own account, was one of the biggest reasons I went with Smugmug and not some of their competitors in the first place.
    Simple and keeps the stuff hidden.
    It didn't [keep the stuff hidden] for Don. You're sure it will for you?
    I don't always need a full lockdown.
    Neither do I, so? In fact, I almost never need it. Most of the time, what I want is a "medium lockdown" -- those who I invite should see my photos, the rest shouldn't.
  • darryldarryl Registered Users Posts: 997 Major grins
    edited January 30, 2008
    Olegos wrote:
    olegos wrote:
    By the way, with this issue getting attention and many people trying it out for themselves, I believe one of my private galleries has been accessed: the stats show 1 access to medium size for every photo, with no accesses to thumbnails or any other sizes. I've changed all my private galleries to also hide owner (although there may still be identifying info in the photos themselves, or in the comments) for now, but I'm waiting for a real solution. I'm also very troubled by the reports that fully protected photos, in password protected galleries and no external links, can be accessed (the contest image). Looking forward to this issue getting fixed too, and explanation of the details afterwards.

    and
    olegos wrote:
    To those who think the current setup is fine and it's just a matter of terminology, consider this.

    Say I see someone's public vacation photos. I suspect that there may be more photos from there, that the person is sharing with their familiy, but not the world. So I write a quick script to go over URLs with IDs in that vicinity, and can even automatically pre-filter the results based on say EXIF info. How likely do you think I'm to discover photos I'm not supposed to be seing?

    I don't even need to search over the whole namespace, as Don's blog posts imply. If approximate time of the photos is known, the search space gets a lot smaller. Regardless of terminology, this is WRONG.

    Olegos: how would somebody crawling the photo space figure out the ID of your private gallery? I actually did some of this crawling (near Don's challenge), and couldn't figure out *how* the Blogosphere guys ferreted out the Gallery name and Owner.

    Maybe they did it before Don plugged up the CNAME fix. If that's the case, then yeah, you might get lucky incrementing the gallery IDs of public galleries that were updated near the EXIF data of the photo. (On the other hand, I sometimes wait months to upload photos, so it's still kind of a crapshoot.)

    Also, I never got to see the photo at all. Was external linking turned off? So a cut and paste would have worked. Interesting. So how was it fixed -- checking for a referrer from the specific SmugMug gallery page? But then won't that break people who browse behind certain firewalls, etc? Hrm...
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 30, 2008
    We're leaning towards adding the 5 alpha-numerics to each URL because it messes up the URLs as little as anything we can think of, but makes guessing hard. If we use both upper and lower case, each image has close to a billion possibilities to guess between.

    Still, you're best off making the gallery private before adding pics or the URLs will be public, at least for awhile. In this scheme the URLs don't change as you switch from public to private.

    Darryl, Don's been tweaking, yes. The last tweak went out mid-morning this a.m.
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited January 30, 2008
    Baldy wrote:
    We're leaning towards adding the 5 alpha-numerics to each URL because it messes up the URLs as little as anything we can think of, but makes guessing hard. If we use both upper and lower case, each image has close to a billion possibilities to guess between.

    Still, you're best off making the gallery private before adding pics or the URLs will be public, at least for awhile. In this scheme the URLs don't change as you switch from public to private.

    If you're trying to reduce guessability, have you thought about whether you need to make gallery numbers less guessable also? They look like they are also sequentially assigned upon creation and there are lots fewer of them than images (so a much smaller space to guess from) and each "private" one you find gives you access to a whole gallery of images, not just one image.

    I just iterated through a few gallery numbers myself (manually in the browser bar, no script kiddy here) and it didn't take long until I found a private gallery. It was just some family photos, but it was marked as a private gallery. I myself don't use "private" galleries for security, but if you are trying to reduce the guessability of images, it seems you'll have to do so for gallery numbers too.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • Matthew SavilleMatthew Saville Registered Users, Retired Mod Posts: 3,352 Major grins
    edited January 30, 2008
    I think 5-digits of letters isn't bad, and would greatly increase privacy. It's like using a sharegroup.

    Now, ironically, where can I find some reading on how to do a URL redirect, so that couples can simply type in "matthewsaville.com/so-and-so" and then get directed to their matthewsaville.smugmug.com/gallery/534534555_sdfggre address?

    =Matt=
    My first thought is always of light.” – Galen Rowell
    My SmugMug PortfolioMy Astro-Landscape Photo BlogDgrin Weddings Forum
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 30, 2008
    jfriend wrote:
    If you're trying to reduce guessability, have you thought about whether you need to make gallery numbers less guessable also?
    Yeah, I should have mentioned that they're included too.
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited January 30, 2008
    I think 5-digits of letters isn't bad, and would greatly increase privacy. It's like using a sharegroup.

    Now, ironically, where can I find some reading on how to do a URL redirect, so that couples can simply type in "matthewsaville.com/so-and-so" and then get directed to their matthewsaville.smugmug.com/gallery/534534555_sdfggre address?

    =Matt=

    That would be here for a description of vanity URLs.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • scwalterscwalter Registered Users Posts: 417 Major grins
    edited January 30, 2008
    Baldy wrote:
    We're leaning towards adding the 5 alpha-numerics to each URL because it messes up the URLs as little as anything we can think of, but makes guessing hard. If we use both upper and lower case, each image has close to a billion possibilities to guess between.

    Still, you're best off making the gallery private before adding pics or the URLs will be public, at least for awhile. In this scheme the URLs don't change as you switch from public to private.

    Darryl, Don's been tweaking, yes. The last tweak went out mid-morning this a.m.

    If you are leaning that way, could you at least make it an optional gallery setting.

    Or better yet, apply the extra code only to private galleries on the fly. That way, public galleries are as they are today. If I go change it to private, then you add the 5-digit codes. This also solves the problem of switching from public to private and having the old links work.

    -Scott
    Scott Walter Photography
    scwalter.smugmug.com
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 31, 2008
    ... how to do a URL redirect, so that couples can simply type in "matthewsaville.com/so-and-so" and then get directed ...
    jfriend wrote:
    That would be here for a description of vanity URLs.
    jfriend, you're talking about creating vanity URLs on SM, while Matt was asking about how to create redirects with his own domain. Matt, this is a question for the place that hosts your domain, but most likely they're using Apache (web server), so a search for "htaccess redirect" should get you lots of useful info. Or if your hosting provider gives you a control panel, look around in there, there may be a simple way to configure redirects that way.
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 31, 2008
    Baldy wrote:
    We're leaning towards adding the 5 alpha-numerics to each URL because it messes up the URLs as little as anything we can think of, but makes guessing hard. If we use both upper and lower case, each image has close to a billion possibilities to guess between.
    Baldy, would it be possible to have the base number, before this extra part, be assigned randomly to the new galleries and images, instead of sequentially?

    Darryl, in the scenario I described I'd be iterating over image URLs, not galleries.
  • darryldarryl Registered Users Posts: 997 Major grins
    edited January 31, 2008
    olegos wrote:
    jfriend, you're talking about creating vanity URLs on SM, while Matt was asking about how to create redirects with his own domain. Matt, this is a question for the place that hosts your domain, but most likely they're using Apache (web server), so a search for "htaccess redirect" should get you lots of useful info. Or if your hosting provider gives you a control panel, look around in there, there may be a simple way to configure redirects that way.

    Matt: In a top-level .htaccess file, you'd put:
    Redirect /so-and-so [url]http://www.matthewsaville.smugmug.com/gallery/534534555_sdfggre[/url]
    

    If your webhost doesn't give you access to .htaccess files, but does let you load PHP files, you could create the so-and-so directory and load this into an index.php file:
    <?php
    header( 'Location: http://www.matthewsaville.smugmug.com/gallery/534534555_sdfggre' ) ;
    ?>
    
  • AllenAllen Registered Users Posts: 10,013 Major grins
    edited January 31, 2008
    So how would this effect all the embeded photos on the Smumug html type
    pages using a link like this? A lot of these are pulled from private galleries.

    <img src="/photos/xxxxxxxxxx-O.png" />
    Al - Just a volunteer here having fun
    My Website index | My Blog
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited January 31, 2008
    Allen wrote:
    So how would this effect all the embeded photos on the Smumug html type
    pages using a link like this? A lot of these are pulled from private galleries.

    <img src="/photos/xxxxxxxxxx-O.png" />

    I think he said existing galleries would not be affected by the change, just new galleries. This is likely because there are zillions of links out there to photos already and they must preserve those.
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • darryldarryl Registered Users Posts: 997 Major grins
    edited January 31, 2008
    olegos wrote:
    Darryl, in the scenario I described I'd be iterating over image URLs, not galleries.

    Olegos, you originally wrote:
    Say I see someone's public vacation photos. I suspect that there may be more photos from there, that the person is sharing with their familiy, but not the world. So I write a quick script to go over URLs with IDs in that vicinity, and can even automatically pre-filter the results based on say EXIF info. How likely do you think I'm to discover photos I'm not supposed to be seing?

    If you iterated through image URLs, as I have done in testing, you would actually be surprised how *few* photos end up clustered together. With 350,000 paying subscribers (per Don's confirmation on the sun.com video) spread around the globe, it's far more typical that you'll get an mix of all the photos that were being uploaded at the same time.

    And again, since Don has fixed the CNAME problem, there's no way to figure out whose gallery a particular image belongs to, excepting cases where there's a Pro watermark or something.
  • olegosolegos Registered Users Posts: 94 Big grins
    edited January 31, 2008
    darryl wrote:
    If you iterated through image URLs, as I have done in testing, you would actually be surprised how *few* photos end up clustered together. With 350,000 paying subscribers (per Don's confirmation on the sun.com video) spread around the globe, it's far more typical that you'll get an mix of all the photos that were being uploaded at the same time.
    That's ok, I wouldn't be doing it manually. I'd have a script, downloading all the sequential images (going both up & down), then only keeping those that have the right info in EXIF -- and there is a lot there to go on (e.g. camera model, date, image number; trivial to filter automatically).
  • asdasd Registered Users Posts: 115 Major grins
    edited January 31, 2008
    I've been following this with great interest in the two blogs and now here. I'm glad to see that Smugmug's doing something about this. I've been with the service for a couple of years now and thought I pretty much understood the privacy/security options but never realized that this left things open to a script iterating through image or gallery IDs.

    Anyway, I think that appending underscore and a handful of alphanumerics would work just fine. I'd also be OK with assigning random alphanumerics as image IDs to get even more compact (someone suggested this above). I think that 10 character alphanumerics give you about as much obscurity per image as the appended 5 alphanumerics do while providing a URL that's about 5 characters shorter. But I'll be happy with any approach that stops folks from iterating through.

    I would very much like it if you also--eventually--added a tool for us to reset or import a gallery's image IDs into the new system rather than having to go setting up gallery copies.

    I've been really impressed with the way Smugmug has handled this. I'm looking forward to hearing and seeing the final solution.
  • mhilbushmhilbush Registered Users Posts: 70 Big grins
    edited January 31, 2008
    The bolt-on approach (embedding some alphanumerics into the existing gallery and image IDs) described above will certainly work. However, I've never been a big fan of this type of fix, as you will have to deal with the legacy of this approach in the future. It might not seem like much now, and maybe it won't be troublesome in the future, but you never know. That's why I suggested replacing the current sequential, numeric ID format with a randomized, alphanumeric format (I suppose you could call this the built-in approach). You also could embed a "check digit" into the naming scheme, which, while easily reverse-engineered, would add another degree of obscurity to the naming convention. Additionally, you can monitor and/or log URLs containing bad check digits, which gives your support/IDS folks something to look into.

    Whichever way you go (bolt-on or built-in), I feel the change will be sufficient to reduce the ability to mine photos.

    Mark
    Mark
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 31, 2008
    Houston, we found the first problem. Firefox's ad blocker blocks any imaage with _ad in it no matter what follows.
  • DavidTODavidTO Registered Users, Retired Mod Posts: 19,160 Major grins
    edited January 31, 2008
    How about instead of replacing this, just offer two levels: Simple Privacy and Advanced Privacy. I like it the way it is. ne_nau.gif
    Moderator Emeritus
    Dgrin FAQ | Me | Workshops
  • wellmanwellman Registered Users Posts: 961 Major grins
    edited January 31, 2008
    Baldy wrote:
    Houston, we found the first problem. Firefox's ad blocker blocks any imaage with _ad in it no matter what follows.
    Out of curiosity, why the underscore? What's wrong with not having it? Is it that the first character of the appended string might be numeric?
  • I SimoniusI Simonius Registered Users Posts: 1,034 Major grins
    edited January 31, 2008
    DavidTO wrote:
    How about instead of replacing this, just offer two levels: Simple Privacy and Advanced Privacy. I like it the way it is. ne_nau.gif

    sounds good to me - does it really ned to be so complicated?
    (but what do I know?)ne_nau.gif
    Veni-Vidi-Snappii
    ...pics..
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 31, 2008
    jogle wrote:
    True again, American tv is pervasive enough that I still knew exactly what Unlisted meant.
    We've kicked this around and tried to think of alternatives, like hidden or secret.

    Unlisted seems to be the term everyone gets, even if they are international. They may not use the term in their countries, but they understand it when they hear it. The phone analogy resonates. It's also interesting to see how many people suggested this word in their blog posts around the net.

    We'd present the choices as unlisted or public, not as unlisted or listed.
  • I SimoniusI Simonius Registered Users Posts: 1,034 Major grins
    edited January 31, 2008
    Baldy wrote:
    We've kicked this around and tried to think of alternatives, like hidden or secret.

    Unlisted seems to be the term everyone gets, even if they are international. They may not use the term in their countries, but they understand it when they hear it. The phone analogy resonates. It's also interesting to see how many people suggested this word in their blog posts around the net.

    We'd present the choices as unlisted or public, not as unlisted or listed.

    A Sensible solution!

    If you also go for a super secure option at a later date you could call it '"Secret' or 'Top Secret" or even 'Eintrit Verboten!" i.e. "NO ENTRY!" - mwink.gif:D
    Veni-Vidi-Snappii
    ...pics..
  • BaldyBaldy Registered Users, Super Moderators Posts: 2,853 moderator
    edited January 31, 2008
    I Simonius wrote:
    A Sensible solution!

    If you also go for a super secure option at a later date you could call it '"Secret' or 'Top Secret" or even 'Eintrit Verboten!" i.e. "NO ENTRY!" - mwink.gif:D
    Hahaha, we were talking about that because we'd like to offer three radio buttons in certain circumstances. Secret played into Top Secret really well. But we decided they weren't clear enough.
Sign In or Register to comment.