Big changes to SmugMug's privacy and security released

Baldy

What:

1. SmugMug gallery URLs are now appended with an underscore and 5 alpha-numeric characters, and so are image URLs. We call them keys. URLs with both gallery and image numbers will have two keys. Occasionally, you'll see an URL with three keys.

2. Where we used to call galleries private, we now call them unlisted.

3. When you create a gallery, we used to offer two options: public and private. Now we offer three: public, unlisted, and lock it down.

Lock it down means we ask you to set a password, we make it unlisted, we turn off external links, and we turn right-click protection on in the case of pros.

Why:

1. The keys are to make it much harder (but not impossible) to find unlisted galleries and photos via guessing URLs.

2. The word unlisted was chosen because the word private meant different things to different people.

Unlisted means that it doesn't appear to your visitors unless they're logged in as you. If you give the link to someone, however, they can get right in without a password. It's like an unlisted phone in the U.S. If you give it out, people can call it.

Gotchas:

1. Galleries and images uploaded before this change are grandfathered. That means the olde links to them still work, so posts in forums and blogs will work as always.

It also means they are as easy to guess as they were before this change. It seems that most of our customers are not concerned about this but some are very concerned, and hence the change.

2. If you are concerned, you can place a password on your grandfathered galleries and turn external links off. Or you can move your photos to new, unlisted galleries. If you set a password, your old links to forums and blogs will continue to work as long as you don't turn external links off. If you move them to new galleries, the old links will break. We're really sorry to say that. If you move them back to grandfathered galleries, they will work again.

3. Grandfathered galleries and images will look to you like they have keys now, so any new links you make will contain those keys. If you move a grandfathered image to a new gallery some time in the future after posting a link with its keys, it won't break.

Clear as mud?! Here are some discussions that led to these changes. Many thanks to everyone who chimed in, and we're sorry for some of the compromises we felt we had to make for the sake of scalability or whatever.

Questions?

Bugs? We're standing by and holding our breath!

jogle

Baldy wrote:

What:
2. If you are concerned, you can place a password on your grandfathered galleries and turn external links off. Or you can move your photos to new, unlisted galleries. If you set a password, your old links to forums and blogs will continue to work as long as you don't turn external links off. If you move them to new galleries, the old links will break. We're really sorry to say that. If you move them back to grandfathered galleries, they will work again.

Thanks for moving so quickly, I realize this kind of change is a huge headache.

After some testing over a few days I would be happy to move all my galleries to the new keyed setup. Are you planning a tool, like for smugmungus, where you can update all the galleries or maybe even my whole site in one step?

denisegoldberg

Thank you for not breaking my existing links to my photos and galleries - that was very very very important to me.

--- Denise

devbobo

jogle wrote:

Thanks for moving so quickly, I realize this kind of change is a huge headache.

After some testing over a few days I would be happy to move all my galleries to the new keyed setup. Are you planning a tool, like for smugmungus, where you can update all the galleries or maybe even my whole site in one step?

I doubt that is going to happen at this stage, but since you are familiar with the api...I am sure that you could easily write something that would address this

digitalpins

thanks for this and thank you for keeping our old links the way they are... wow that was fast just a week ago this was talked about.

Awesome job smugmug

JenGrace

I created a test gallery for a moment. At the creation point, I was offered the three options. But when I hit customize gallery, I only got public and unlisted. So the only chance to put a gallery on 'lockdown' is when I create it, correct?

devbobo

JenW wrote:

I created a test gallery for a moment. At the creation point, I was offered the three options. But when I hit customize gallery, I only got public and unlisted. So the only chance to put a gallery on 'lockdown' is when I create it, correct?

Jen,

I believe that the 'Lock it down' option is a shortcut for setting a gallery password, and the SmugIslands and External Links settings to no. Plus sets Protected to YES for pro accounts.

Cheers,

David

rainforest1155

JenW wrote:

I created a test gallery for a moment. At the creation point, I was offered the three options. But when I hit customize gallery, I only got public and unlisted. So the only chance to put a gallery on 'lockdown' is when I create it, correct?

Jen, this is a valid question. Lockdown basically just sets a gallery to unlisted, adds a password, sets SmugIsland settings to no and disables external links. If you're a Pro, protection will be enabled as well. You were all ready able to set all of these settings prior, but we didn't have this one-click setting to engage all these locks at once.

Sebastian

Andy

JenW wrote:

I created a test gallery for a moment. At the creation point, I was offered the three options. But when I hit customize gallery, I only got public and unlisted. So the only chance to put a gallery on 'lockdown' is when I create it, correct?

On the create page, we make the lockdown button just for a quick convenience - for new customers and for any customer that hasn't set a gallery quicksetting.

On the gallery customize page, ALL the options are available to you, on an individual gallery basis, or, if you use a quick setttings template, you can apply it to all your new galleries as you make 'em

http://www.smugmug.com/help/picture-storage

Holler if you need more help Thanks!

JenGrace

Dur! Silly me... I just realised that upon rereading baldy's IP. Chalk that one up to posting less than an hour after waking up.

dmc

my customized Journal Large view affected...
FYI at this point... (I haven't looked at the code yet)... but the Customization for Journal Large has stopped working... I will post in the Customization area as well.

... yes, I'm still around..... I know, I've been quiet...

I got my cool Camera strap yesterday though! Thanks!

jfriend

Am I correct that a pre-existing gallery can be referred to by either the old link or the new link with keys?

I am using several RSS feeds to my mom's picture frame. Is there any reason to update those feeds to the new keyed gallery link? Or, can I just leave it the way it is forever?

darryl

Anything other new features released? :-}

Andy

jfriend wrote:

Am I correct that a pre-existing gallery can be referred to by either the old link or the new link with keys?

I am using several RSS feeds to my mom's picture frame. Is there any reason to update those feeds to the new keyed gallery link? Or, can I just leave it the way it is forever?

Should be able to leave it. Let us know if you find out otherwise.

Andy

darryl wrote:

Anything other new features released? :-}

No, this was a huge effort, and consumed us all for the past 10days - 2weeks. Hopefully we can now get back to our regularly scheduled Sorcery, and make some cool new stuff

jfriend

RSS feeds not working on new unlisted galleries
I use some RSS feeds on some unlisted galleries. The images aren't so much private as I just don't want them listed on my homepage because they're a particular collection just for these RSS feeds (which go to picture frames), not for regular browsing.

As of today, it seems like RSS feeds don't work to new unlisted galleries which is a feature regression. They are still working for pre-existing unlisted galleries. Is this the intended behavior?

Here's an example:
Unlisted test gallery: http://jfriend.smugmug.com/gallery/4302566_3hBNK

RSS feed from that gallery:
http://jfriend.smugmug.com/hack/feed.mg?Type=gallery&Data=4302566_3hBNK&format=rss200

The RSS feed returns only one line of XML.

I would like RSS feeds to work on unlisted galleries. Since the RSS feed requires the gallery number, they offer no less security than just typing the gallery URL. In either case you have to know the gallery number including the new key so there should be no security issue with allowing RSS feeds on unlisted galleries.

geary

I often post images from SM to my blog and other web sites. In the past, the URL for each image could be built from the image ID which was easily copied from the URL while browsing. Now I have to click through to the "share" page for each image. This is a huge pain. Is there any why do make this easier?

Examples:
http://msg150.com
http://www.acaciafarm.com/horses/Titan

jfriend

geary wrote:

I often post images from SM to my blog and other web sites. In the past, the URL for each image could be built from the image ID which was easily copied from the URL while browsing. Now I have to click through to the "share" page for each image. This is a huge pain. Is there any why do make this easier?

Examples:
http://msg150.com
http://www.acaciafarm.com/horses/Titan

Just click on the image to open the lightbox and you'll see the whole image ID with key in the URL bar and you can copy from there. One extra click.

Or right click on the main image and choose properties to see the direct image URL and copy the ID+key from there.

geary

jfriend wrote:

Just click on the image to open the lightbox and you'll see the whole image ID with key in the URL bar and you can copy from there. One extra click.

Thanks. It would still be nice if the code in the URL in the standard view included the key, but this will work.

Andy

jfriend wrote:

I use some RSS feeds on some unlisted galleries. The images aren't so much private as I just don't want them listed on my homepage because they're a particular collection just for these RSS feeds (which go to picture frames), not for regular browsing.

As of today, it seems like RSS feeds don't work to new unlisted galleries which is a feature regression. They are still working for pre-existing unlisted galleries. Is this the intended behavior?

Here's an example:
Unlisted test gallery: http://jfriend.smugmug.com/gallery/4302566_3hBNK

RSS feed from that gallery:
http://jfriend.smugmug.com/hack/feed.mg?Type=gallery&Data=4302566_3hBNK&format=rss200

The RSS feed returns only one line of XML.

I would like RSS feeds to work on unlisted galleries. Since the RSS feed requires the gallery number, they offer no less security than just typing the gallery URL. In either case you have to know the gallery number including the new key so there should be no security issue with allowing RSS feeds on unlisted galleries.

We'll check into it - it's on Devbobo, who's in Australia, so he's asleep right now but I've made sure he's seen the issue. Thanks!

paulbrock

Good stuff guys, thanks...

Can you also add something to the release notes blog though? That's where I'd expect to find details of changes rather than hunting in dgrin.com.

Ta!

sdunbar

Smugmug Export Plugin for Adobe Lightroom
I am having issues with my export plugin to Smugmug. I was reading the author's blog, and it looks like there are several of us who all starting having the same problem early this morning. Without making any changes, this worked great for me least night at 2008-02-07 05:38:07 (your upload timestamp), and stopped working today.

The problem we are all experiencing is - no galleries are returned in the plugin, so we can not select which gallery to upload to. I think it will actually create a new gallery.

Any way of telling if its related to the upgrade last night?

Andy

sdunbar wrote:

I am having issues with my export plugin to Smugmug. I was reading the author's blog, and it looks like there are several of us who all starting having the same problem early this morning. Without making any changes, this worked great for me least night at 2008-02-07 05:38:07 (your upload timestamp), and stopped working today.

The problem we are all experiencing is - no galleries are returned in the plugin, so we can not select which gallery to upload to. I think it will actually create a new gallery.

Any way of telling if its related to the upgrade last night?

It likely is, let us look and see.
In the meantime, you can export from LR to jpg, and use any other uploader from SmugMug.


EDIT: Confirmed, we'll contact the developer and /or see what can be done on our end.

Deviant Anomaly

I have been a Smugmug customer for 2 years now and always been pleased with my experience. However that changed today with this new feature. I signed in this morning intending to post some of my photos at a blog, only to find that the urls had changed to hyperlinks and no longer worked. I contacted Smugmug Help inquiring if there were technical difficulties occuring and was directed to this thread. Had I not done so, I would not have known anything. I think notification should have been sent to all members of the impending change before it took place. Not just announced here or an admin's blog since not everyone knows to visit those locations. A census of opinion should have also been conducted. Not everyone was unhappy or experienced problems with the previous security features.

Simply right clicking and displaying the properties window does not give me a full url in order to externally post my pictures either. I have to type in the size and .jpg at the end of every link now. It is not a huge inconvience, but still one I did not have to deal with before. One of the reasons I chose Smugmug in the past was the ease with which I could externally post photos. Thus I am very disappointed right now.

Andy

Deviant Anomaly wrote:

I have been a Smugmug customer for 2 years now and always been pleased with my experience. However that changed today with this new feature. I signed in this morning intending to post some of my photos at a blog, only to find that the urls had changed to hyperlinks and no longer worked. I contacted Smugmug Help inquiring if there were technical difficulties occuring and was directed to this thread. Had I not done so, I would not have known anything. I think notification should have been sent to all members of the impending change before it took place. Not just announced here or an admin's blog since not everyone knows to visit those locations. A census of opinion should have also been conducted. Not everyone was unhappy or experienced problems with the previous security features.

Simply right clicking and displaying the properties window does not give me a full url in order to externally post my pictures either. I have to type in the size and .jpg at the end of every link now. It is not a huge inconvience, but still one I did not have to deal with before. One of the reasons I chose Smugmug in the past was the ease with which I could externally post photos. Thus I am very disappointed right now.

Ouch, this should not be the case -- can you give me a link?

Example, IE6
http://img.skitch.com/20080208-gpfc4j63aucx6jp9m14a8wgpsp.jpg

Example, Firefox
http://img.skitch.com/20080208-faqrbrx8betayixs8gm172qf3u.jpg

Antony

Thanks smugmug for a good response to a tricky situation. I do have one comment though.

I was surprised that the 'unlisted' setting doesn't also turn off 'hello world!' and 'hello smuggers!'. It seems like if people using google or smugmug search can find my photos, they aren't really unlisted.

Or does unlisted do that, and it's just not clear in the Customize gallery UI? If that's the case, perhaps when you click on unlisted, it should disable the 'Yes' choice of the radio buttons for both 'hello world!' and 'hello smuggers'.

denisegoldberg

Antony wrote:

Thanks smugmug for a good response to a tricky situation. I do have one comment though.

I was surprised that the 'unlisted' setting doesn't also turn off 'hello world!' and 'hello smuggers!'. It seems like if people using google or smugmug search can find my photos, they aren't really unlisted.

Or does unlisted do that, and it's just not clear in the Customize gallery UI? If that's the case, perhaps when you click on unlisted, it should disable the 'Yes' choice of the radio buttons for both 'hello world!' and 'hello smuggers'.

I have some unlisted galleries because I do not want the galleries to show on my galleries page - but I do want them to be available to anyone. I would be very unhappy if I couldn't combine unlisted with leaving 'hello smuggers' and 'hello world' set to yes.

Allowing the gallery owner to combine the options in a way that makes sense for him or her makes the most sense (at least to me). I want maximum flexibility, and the current behavior continues to give me the flexibility that I need while still giving you the ability to lock down your galleries.

--- Denise

Deviant Anomaly

Andy wrote:

Ouch, this should not be the case -- can you give me a link?

http://deviant-anomaly.smugmug.com/photos/252218837_fHpMD-O.jpg

I see what is happening. I have to highlight the link and it will scroll down to complete it. So it is all there. However because the key now makes the links longer, when you first click on the properties window it does not appear to be complete which makes things confusing.

I am still not satisfied with the change, but I feel better now knowing I do not have to type in the ends of incomplete links all the time.

Thank you for your help.

arpboy

Slide show broken
Guys:

The shift has broken my homepage slideshow (photos.RichardBerry.org) - I had it displaying the most popular photos. Has anyone else seen this?

-Richard

shg

Deviant Anomaly wrote:

I have been a Smugmug customer for 2 years now and always been pleased with my experience. However that changed today with this new feature. I signed in this morning intending to post some of my photos at a blog, only to find that the urls had changed to hyperlinks and no longer worked. I contacted Smugmug Help inquiring if there were technical difficulties occuring and was directed to this thread. Had I not done so, I would not have known anything. I think notification should have been sent to all members of the impending change before it took place. Not just announced here or an admin's blog since not everyone knows to visit those locations. A census of opinion should have also been conducted. Not everyone was unhappy or experienced problems with the previous security features.

Simply right clicking and displaying the properties window does not give me a full url in order to externally post my pictures either. I have to type in the size and .jpg at the end of every link now. It is not a huge inconvience, but still one I did not have to deal with before. One of the reasons I chose Smugmug in the past was the ease with which I could externally post photos. Thus I am very disappointed right now.

DA, you're making a comment on the behavior of Internet Explorer, not on a deficiency with Smugmug. If you were using a different browser you would either see the whole URL or be able to resize the Properties window.

If you are set on using IE under Windows, I find the easiest way to copy long URLs from an IE Properties window is to click anywhere on the segment of URL that is visible then hit CTRL-A CTRL-C -- that is "click, select all, copy".

HTH.

devbobo

sdunbar wrote:

I am having issues with my export plugin to Smugmug. I was reading the author's blog, and it looks like there are several of us who all starting having the same problem early this morning. Without making any changes, this worked great for me least night at 2008-02-07 05:38:07 (your upload timestamp), and stopped working today.

The problem we are all experiencing is - no galleries are returned in the plugin, so we can not select which gallery to upload to. I think it will actually create a new gallery.

Any way of telling if its related to the upgrade last night?

I have released a temporary patch for the Lightroom uploader, see my post here.