Anonymous Download

David PLDavid PL Registered Users Posts: 80 Big grins
Hello,

I am working on adding download functionality to our software application. As part of this, I would like to include the ability for a user to login to any SmugMug account anonymously and download photos from any "public" galleries.

However, one problem that I am having is that if a gallery does not have the "External" option set, the API call to smugmug.images.get still returns the URL's as if they are available, but my application then fails when it attempts to download the images since the URLs are not publicly accessible.

Is there any way to determine (when logged in anonymously) whether the "External" option is set for a particular album. For example, this setting could simply be included in the response to smugmug.albums.get. This would allow my application to check this setting first and not even attempt to download from those albums. When logged in anonymously, the current 1.2.1 beta API call to smugmug.albums.get returns the "Public" and "Passworded" settings, but does not return the "External" setting. If "External" was also included in the response, that would solve this issue completely.

Thanks for your time.

Comments

  • denisegoldbergdenisegoldberg Administrators Posts: 14,383 moderator
    edited February 4, 2008
    Can I ask what your intent is here?

    Just because galleries are public and external links are allowed does not mean that it is OK to download the photos. It sounds to me like you are building an application that will make it easier for people to steal images.

    --- Denise
  • GarethLewinGarethLewin Registered Users Posts: 95 Big grins
    edited February 6, 2008
    Can I ask what your intent is here?

    Just because galleries are public and external links are allowed does not mean that it is OK to download the photos. It sounds to me like you are building an application that will make it easier for people to steal images.

    --- Denise

    Denise, the reality of the internet is that once your picture is publicly downloadable anyone can "steal" it. Even without applications that would allow someone to leach an entire account that was tailored to smugmug, there are no end of spider applications that will do it just as easily.

    I only say this because this issue has come up before. There is a dilemma here that I understand, but even if his intentions were bad, and we could convince him not to make his application, there would still be a significant number of easy ways for someone to get your images.

    This is a risk we all take by puting images online. For example one could leach all your images purely by pointing smugsaver at your account and waiting for a bit. I assure you I had no neferious intentions when I wrote smugsaver, it's just a side effect of how it works.

    In fact his question brings up an interesting issue that i need to track down with smugsaver, would this cause smugsaver to fail? I have no gallerys that are public with no public URLs, I need to test it.
  • David PLDavid PL Registered Users Posts: 80 Big grins
    edited February 6, 2008
    Can I ask what your intent is here?

    Just because galleries are public and external links are allowed does not mean that it is OK to download the photos. It sounds to me like you are building an application that will make it easier for people to steal images.

    --- Denise
    Denise,

    I am actually developing photo management software that will be fully integrated with SmugMug, including the ability to upload, download, create/modify/delete/reclassify/duplicate galleries, create/rename categories and subcategories, classify/keyword/re-order/rotate photos, among other things. The software is not at all being developed to allow for any sort of malicious "stealing" of photos and would not allow for any sort of spider downloading of entire accounts.

    Keep in mind that SmugMug provides account holder's with several gallery settings that allow you to safeguard your photos (External, watermarks, largest size, etc) and that all of these settings are enforced by SmugMug's great API.

    Thanks for communicating your concerns. I always appreciate getting feedback.
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited February 6, 2008
    G'day David,

    There are a few methods that only return information for the owner, which a non-owner could pretty much work out by going to the user's site. The fact that some of the values aren't returned for non-owner responses is historical more than anything.

    I have taken steps to address this as you mentioned in smugmug.albums.get where we now return Public and Passworded. I am due to review the other items and work out a way to return them without bloating the response. Most of the items will most probably be returned in the heavy response.

    Cheers,

    David
    David Parry
    SmugMug API Developer
    My Photos
  • David PLDavid PL Registered Users Posts: 80 Big grins
    edited February 6, 2008
    devbobo wrote:
    G'day David,

    There are a few methods that only return information for the owner, which a non-owner could pretty much work out by going to the user's site. The fact that some of the values aren't returned for non-owner responses is historical more than anything.

    I have taken steps to address this as you mentioned in smugmug.albums.get where we now return Public and Passworded. I am due to review the other items and work out a way to return them without bloating the response. Most of the items will most probably be returned in the heavy response.

    Cheers,

    David

    Excellent. Thank you!
  • denisegoldbergdenisegoldberg Administrators Posts: 14,383 moderator
    edited February 6, 2008
    Denise, the reality of the internet is that once your picture is publicly downloadable anyone can "steal" it. Even without applications that would allow someone to leach an entire account that was tailored to smugmug, there are no end of spider applications that will do it just as easily.
    David PL wrote:
    Keep in mind that SmugMug provides account holder's with several gallery settings that allow you to safeguard your photos (External, watermarks, largest size, etc) and that all of these settings are enforced by SmugMug's great API.

    Yes, I'm well aware of that. And I'm also aware that people can steal images from the browser cache.

    The problem is that I want to be able to link to my photos from my blog, which requires that external links be set to yes. And I won't look at galleries of photos that are watermarked across the image, so I have a hard time convincing myself to do that to my own photos. I know I should really apply a watermark at least to the edge - which is the only place it's acceptable to my vision, even though I also know it can be easily cropped. I suppose I'd better do that...
    David PL wrote:
    I am actually developing photo management software that will be fully integrated with SmugMug, including the ability to upload, download, create/modify/delete/reclassify/duplicate galleries, create/rename categories and subcategories, classify/keyword/re-order/rotate photos, among other things. The software is not at all being developed to allow for any sort of malicious "stealing" of photos and would not allow for any sort of spider downloading of entire accounts.
    The functionality you mention sounds great to me as a logged in user. I guess I just don't like the idea of someone else being able to anonymously download my galleries - and as I mentioned above since I do reference my photos outside of smugmug I need to be able to set external access on.

    I guess maybe I should rethink my habits, make duplicate copies of the photos I want to link externally, and set external access to off for most of my galleries.

    Thanks for replying.

    --- Denise
  • David PLDavid PL Registered Users Posts: 80 Big grins
    edited March 19, 2008
    devbobo wrote:
    G'day David,

    There are a few methods that only return information for the owner, which a non-owner could pretty much work out by going to the user's site. The fact that some of the values aren't returned for non-owner responses is historical more than anything.

    I have taken steps to address this as you mentioned in smugmug.albums.get where we now return Public and Passworded. I am due to review the other items and work out a way to return them without bloating the response. Most of the items will most probably be returned in the heavy response.

    Cheers,

    David


    Any update on this?

    Thanks
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited March 19, 2008
    David PL wrote:
    Any update on this?

    Thanks

    I am actually been working on the next version of the API, and this stuff will be addressed in that version.
    David Parry
    SmugMug API Developer
    My Photos
  • Someday_DreamerSomeday_Dreamer Registered Users Posts: 67 Big grins
    edited April 13, 2008
    New user Needing information***
    devbobo wrote:
    I am actually been working on the next version of the API, and this stuff will be addressed in that version.

    Ok, I undertstand that nothing is really totally safe online...BUT..as a new user whose site is meant to sell photos to the public this thread has me deeply concerned...

    In plain English could someone tell me why this application would be developed, who has access, and why would SmugMug encourage this?

    One of the reasons we went with Smugmug was for the customization ability and security...

    Do we need to reconsider using SmugMug (My Boss will kill me...but better then making it easier for our photos to be stolen)
  • devbobodevbobo Registered Users, Retired Mod Posts: 4,339 SmugMug Employee
    edited April 13, 2008
    Ok, I undertstand that nothing is really totally safe online...BUT..as a new user whose site is meant to sell photos to the public this thread has me deeply concerned...

    In plain English could someone tell me why this application would be developed, who has access, and why would SmugMug encourage this?

    One of the reasons we went with Smugmug was for the customization ability and security...

    Do we need to reconsider using SmugMug (My Boss will kill me...but better then making it easier for our photos to be stolen)

    friends or family (who aren't smugmug members) may want to download photos from an event.

    The API functionality is no different to what available via the website, and it doesn't circumvent any of SmugMug's security.

    If you are worried about people downloading images, then you should be watermarking your photos and reducing to 'Largest size' to something that you are comfortable with.
    David Parry
    SmugMug API Developer
    My Photos
  • Someday_DreamerSomeday_Dreamer Registered Users Posts: 67 Big grins
    edited April 13, 2008
    Go on....
    devbobo wrote:
    friends or family (who aren't smugmug members) may want to download photos from an event.

    The API functionality is no different to what available via the website, and it doesn't circumvent any of SmugMug's security.

    If you are worried about people downloading images, then you should be watermarking your photos and reducing to 'Largest size' to something that you are comfortable with.

    My Apologies for being a novice...(I am learning as fast as I can..)

    When you say what is available via the website --WHat are you referring to? SM? IE7? FF?

    I have a Pro Account and have right click protected my photos, working on the watermark and sizes ---can someone still just download our photos??
  • dounddound Registered Users Posts: 72 Big grins
    edited April 14, 2008
    When you say what is available via the website --WHat are you referring to? SM? IE7? FF?
    Yes, I think by website he means just the normal way one views SmugMug content -- the web browser.

    I have a Pro Account and have right click protected my photos, working on the watermark and sizes ---can someone still just download our photos??
    That's a good start. Someone can only download what you make available. Always assume that anything that can be seen (by the typical user, not when you are logged in and managing your account [unless you are in the visistor view]) can be downloaded, even if right-click protection access is enabled ... someone can always get data from their display to their hard disk (screenshot, or someone a little more technical might just rip the image data as it comes up the network stack, e.g. before it gets to the browser).

    That's why DevBobo recommended watermarking your images and making sure you choose maximum size that you're comfortable with. That way you don't have to worry -- the most someone might obtain is a low-res photo covered with your watermark.

    For more on image protection, you might want to check out the excellent help page: http://smugmug.com/help/image-protection.
  • Someday_DreamerSomeday_Dreamer Registered Users Posts: 67 Big grins
    edited April 14, 2008
    dound wrote:
    Yes, I think by website he means just the normal way one views SmugMug content -- the web browser.



    That's a good start. Someone can only download what you make available. Always assume that anything that can be seen (by the typical user, not when you are logged in and managing your account [unless you are in the visistor view]) can be downloaded, even if right-click protection access is enabled ... someone can always get data from their display to their hard disk (screenshot, or someone a little more technical might just rip the image data as it comes up the network stack, e.g. before it gets to the browser).

    That's why DevBobo recommended watermarking your images and making sure you choose maximum size that you're comfortable with. That way you don't have to worry -- the most someone might obtain is a low-res photo covered with your watermark.

    For more on image protection, you might want to check out the excellent help page: http://smugmug.com/help/image-protection.







    Thanks-
  • AdamNAdamN Registered Users Posts: 18 Big grins
    edited April 16, 2008
    It's either or.
    Hmm. I'm not really getting this, probably because I'm a wee bit slow. However either you publish you photos on-line or you don't.ne_nau.gif
    If you want people to be able to see your pictures they will inherently be able to save them. There is _no_ service online displaying online pictures that can protect photos from beeing downloaded. Any service claiming that is simple lying. If the picture is displayed on a computer it must be transferred there and that transfer can always be intercepted. eek7.gif

    The 'mug is a service for publishing photos online. It incorporates several mechanisms for protection, including a very powerful watermarking solution as well as password protection and hiding gallery's. One would be hard taxed to find a more flexible and scalable security solution.clap.gif

    It also provides an excellent API. As many pointed out before anonymous download can be achieved through the API, however there is several other solutions for that widely available, spiders etc.rolleyes1.gif


    Bottom line Smug mug is meant for sharing, and sharing is what it does, to a certain extent depending on user settings.
    If you are looking for a more private solution maybe online backup such as Carbonite is the way to go. (Which is extremely safe and never ever shows anything, ever period. )
  • Someday_DreamerSomeday_Dreamer Registered Users Posts: 67 Big grins
    edited April 16, 2008
    AdamN wrote:
    Hmm. I'm not really getting this, probably because I'm a wee bit slow. However either you publish you photos on-line or you don't.ne_nau.gif
    If you want people to be able to see your pictures they will inherently be able to save them. There is _no_ service online displaying online pictures that can protect photos from beeing downloaded. Any service claiming that is simple lying. If the picture is displayed on a computer it must be transferred there and that transfer can always be intercepted. eek7.gif

    The 'mug is a service for publishing photos online. It incorporates several mechanisms for protection, including a very powerful watermarking solution as well as password protection and hiding gallery's. One would be hard taxed to find a more flexible and scalable security solution.clap.gif

    It also provides an excellent API. As many pointed out before anonymous download can be achieved through the API, however there is several other solutions for that widely available, spiders etc.rolleyes1.gif


    Bottom line Smug mug is meant for sharing, and sharing is what it does, to a certain extent depending on user settings.
    If you are looking for a more private solution maybe online backup such as Carbonite is the way to go. (Which is extremely safe and never ever shows anything, ever period. )


    Let me begin by restating--I know that nothing online is ever foolproof/bulletproof or whatever...My better half consults in computer forensics, cyber hacking etc....:dood Believe me--I know.

    I was just questioning and asking for clarification of the original post about the program that was being developed. deal.gif

    Thanks-
  • dounddound Registered Users Posts: 72 Big grins
    edited April 16, 2008
    AdamN wrote:
    Bottom line Smug mug is meant for sharing, and sharing is what it does, to a certain extent depending on user settings.
    If you are looking for a more private solution maybe online backup such as Carbonite is the way to go. (Which is extremely safe and never ever shows anything, ever period. )

    I agree, and I think it does an excellent job at providing a very customizable sharing experience. It is much more interesting than a vanilla backup service! However, if all one wants it a secure backup, then one might want to consider a different service which is specialized for that -- then you do not have to worry about the sharing aspect.

    JungleDisk is a good secure backup service that has been recommended by others including onethumb I believe. I use it myself and it works quite well. It is backed by AmazonS3 and data is stored and transferred with a provably secure encryption algorithm (see their website for the details).
Sign In or Register to comment.