Password Protection and Non-Public Galleries Proposed Solution to Strengthen Security
System
Registered Users Posts: 8,186 moderator
onethumb said this his last post to the recently close thread on this subject:
"We often make decisions "for the greater good" and this is one of those times. You CAN link to Passworded galleries for all sorts of good reasons. One is that you may want to post a photo to a forum and not have it publicly displayed on your site. It happens all the time, this particular need."
My proposed password protection issue resolution:
Make a non-public gallery menu option so your users have the ability not to have a gallery displayed on there own personal homepage. This gallery can still can be accessed by knowing the url. No password needed on this scheme and the result is that it does what you want it to do for your forum linkers perfectly. You can even make this gallery visible to only the logged in user if you like. The owner of the gallery can still give the url out to anyone who needs access to that gallery directly.
Then change your password protection scheme back to disallow direct links and other attempts at accessing password protected urls directly. Something like you used to have here at smugmug. This is how pbase resolved this very same issue. Why can't you do this here, Don?
-don
"We often make decisions "for the greater good" and this is one of those times. You CAN link to Passworded galleries for all sorts of good reasons. One is that you may want to post a photo to a forum and not have it publicly displayed on your site. It happens all the time, this particular need."
My proposed password protection issue resolution:
Make a non-public gallery menu option so your users have the ability not to have a gallery displayed on there own personal homepage. This gallery can still can be accessed by knowing the url. No password needed on this scheme and the result is that it does what you want it to do for your forum linkers perfectly. You can even make this gallery visible to only the logged in user if you like. The owner of the gallery can still give the url out to anyone who needs access to that gallery directly.
Then change your password protection scheme back to disallow direct links and other attempts at accessing password protected urls directly. Something like you used to have here at smugmug. This is how pbase resolved this very same issue. Why can't you do this here, Don?
-don
0
Comments
I too took a long time to relpy in that other thread (and fortunately copied my reply to clipboard because I was concerned my session might have timed out) - so I'll now paste it here: (it's a rather different suggestion...)
Whatif the protections were implemented primarily at the individual photo level, maybe by pre-pending a "share-group-like hash code" to the jpg filenumber that would prevent the kind of sequential browsing at issue here. The protections could still be specified in the UI at the Gallery level (as well as new controls at the individual level). (Passwords could still be set only at the gallery level.)
The hash-code could be relatively short to simply "hide" the url, or longer for password-protected ones. It could be the same "hide-code" for the gallery and maybe the same "public-key-code" for the particular password. (Moving photo's between galleries or changing hide-status or password would probably require renaming the jpg's. See redirection of potential resulting broken external links below.)
Ideally, all existing photo's would be converted. For backwards-compatibility with existing (and potential) external links using the old naming scheme, a "redirection' mechanism would need to be divised. This might get messy! User options specifying how & whether to use referral mechanism for particular galleries (and when changing passwords, moves between galleries, etc.,) might limit the overhead (and also improve security for those users concerned with this issue).
To prevent (continued) abuse of the old naming scheme, would need to come up with some kind of "quota system" to limit the number of redirections from same referrer within short period of time.
some general comments:
I'll bet this "sequential browsing accross accounts" explains the "mysterious activity" that induced the policy changes involving API-user-ID's recently announced in the hacker's forum.
I'm not an "abuser myself", yet also found it convenient that my uploads were generally sequentially named - because it made it easier for me to match my local file name with the corresponding Smugmug url (although I now use a lookup table to make it reliable enough for my purposes, which involve linking to photo's on smugmug from a different presentation on another site).
Ideally, my online url's would reflect my local file names, maybe even my local folder hierarchy, without an extensive lookup-table-based translation. If smugmug's file names are to get longer (for hide-codes etc as described above, maybe might just as well use user-file-names.)
I've also wished for a long time that the protection were at the individual photo level rather than the gallery level (and that somewhat kludgey sharegroup scheme). It would be nice to have just one gallery that has individual photo's hidden unless the user posesses a sharegroup-like cooky, and maybe a password.
So, maybe a solution to the security issue here could also allow these kinds of welcome feature enhancements.
Gary
This is called "Private" and it works this way now.
Because it will cause a big drain on customer support. Sorry, but no.
Don
This is all intelligent thinking. Far better than "we can guess it!" posts. Thanks for the valuable feedback.
If we were going to do image-level security, this is very similar to how it would be done (If you think about it, we already have image-level security on certain things, like blocked Originals, so printing and backup CDs/DVDs can be ordered. It's already done in a similar fashion).
Right now, though, this seems to add a lot of complexity, uglifies our nice simple URLs, and doesn't really solve a problem we're concerned about. I'll keep it in mind down the road, but after all the discussion, I consider it to be more of a non-issue now than it was a few days ago.
Nope, not related at all. If someone really wants to sequentially browse through terabytes and terabytes of data, I suppose there's nothing to stop them. But with no useful metadata, I don't see what the point would be.
The APIkeys were implemented more to stop "smugmug-in-a-box" reselling of our service (ie, someone opening a single account, and then using our API to sell many accounts off of it and take advantage of our unlimited storage policy to basically sell photo sharing to hundreds and thousands of people while only paying us $30.) and other abuses like that. Yes, people were contemplating doing just that.
Using any of the modern upload methods, it's highly unlikely your photos will be sequentially numbered at all.
Anyway, thanks for the well-thought out and well-intentioned feedback. We cherish this kind of problem-solving thinking among our customers.
Don
"This is called "Private" and it works this way now."
I know, and it makes the statement you made below seem a little kooky because your password protected and private galleries here at smugmug provide almost the same functionality, meanwhile neither offers any real protection. The user in the instance you describe below could have just used a private gallery and real password protection would not effect him at all. Changing things for the better with your password protection scheme here at smugmug would not affect this type of user.
Onethumb said:
"We often make decisions "for the greater good" and this is one of those times. You CAN link to Passworded galleries for all sorts of good reasons. One is that you may want to post a photo to a forum and not have it publicly displayed on your site. It happens all the time, this particular need."
It's a shame to see that you have everything in place here at smugmug to satisfy the security and convenience issue for everyone, but you just won't implement it (again, I guess). In the long run I would think you would rather have in place a system that actually protects a pro's photos here at smugmug rather than one that does not, but maybe that is not the case. I'll get off the subject now because there is a pretty simple resolution to this issue and it must be like you say, you must not want to do the real security thing because of the initial numbers of calls to support that you will get. I can only propose a viable solution, and have no means by which to make you implement it, so I can only hope that someday you will change to a system something like I proposed or better. It will be much more painful do that later rather than sooner, that is almost a certainty.
I'm off the issue now as you do certainly seem to be quite closed to the idea of doing real password protected images here at smugmug in the future. Thanks for the conversation anyway, it is nice to at least be able to talk to the man.
Good Day
-don
I like SmugMug a lot, I think the service is great, but I would like to continue this conversation.
First of I think it is great that you, the CEO of SmugMug take your valuable time to reply to us, however, we are no longer children, we don't need our tears wiped,a nd a pat on the head; we want our problems and issues solved rather than swept under the rug.
Your words in this thread:
http://www.dgrin.com/showthread.php?t=9342
IMHO, and probably in others as well, this is exactly what you do.
Too bad/Too sad, not our problem is what I read in your statements.
Now I realize that this is probably an inconvenient and serious security breech to not have true password protection and have this exposed all over the internet, but to simply sweep it under the rug, is disappointing to say the least. I think by now it is probably clear that despite your nice 'damage control' reactions as in we are doing great and it really is secure, we both know that it isn't. In the previous thread ppl have shown and clearly demonstrated that there are several scenario's that peoples images are NOT secure. And guess what, yes there are work arounds, but that is just what they are workarounds.
Just like everyone else, I sincerely hope that you will reconsider and apply a true password protection on our copyrighted and sometimes confidential material.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
It's not inconvenient and it's not a security breach. It was done this way be design, at the request of hundreds of our customers.
Once again, for the billionth (or is it trillionth?) time, we ARE NOT interested in providing enterprise-grade security. We're simply interested in providing "good enough" security which people find easy to use. We've accomplished this goal, and that's that.
If you're interested in stronger security, I'm afraid you'll have to go elsewhere - smugmug isn't for you. Not because we can't provide it (2 or 3 lines of code are probably *still* commented in our image permissions mechanism, simply uncommenting them would do the trick) but because we've actively decided not to. It's a reversal of the way we used to do Password protected galleries after overwhelming requests for us to do so.
Just so we're clear: We love dgrin, we love all the feedback we get here, but dgrin is *not* indicative of most of our customer base. dgrin is not even indicative of most of our Pro customers, most of whom talk with us privately rather than post here. (We've wondered why that is, but it's rapidly becoming clear. I should warn you, these sorts of posts are shooting yourself in the foot - at least one employee has already vowed yesterday not to use dgrin anymore because of threads like these. We spend our free time here because we think listening to our customers is a good thing - but essentially being yelled at over and over isn't helping anyone.)
We take your feedback here seriously, but if 5 people here are pleased by something and tens of thousands of our other customers are pissed off, guess what? We're not doing it! I'm boggled that this is that difficult to understand.
Don
Sorry we don't have a better answer for you,
Baldy
Cheers
-don
I apologize for my part in this, and will sit the rest of these debates out.
One suggestion I was thinking of that might be a compromise is to allow for a checkmark option that says something to the extend of: absolutely no outside access.
In closing, I do like SmugMug and the ease of which it allows me to co-brand it, and takes care of order fulfillment so I don't have to deal with that.
XO,
Mark Twain
Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
Good Day
-don
No-one is stopping you from using Pbase. Our customers tell us over and over that we're easier than sites like Pbase and that that's the reason they use and love us. This is one of those features they consider to be easier, and they're paying us for it, so it's a no-brainer.
Go use Pbase if you prefer it.
Don
It seems like when someone mentions a feature you don't want to implement here at smugmug, you tell us where to go. I don't think this is very cool when you have a forum that asks for suggestions and feedback. All I have been seeing here lately, it seems, is go somewhere else and shut up, or I am closing this thread.
When you use terms like "enterprise grade" to describe pbase level security, it makes some of us scratch our heads...know what I mean, Don?
Cheers
-don
Funny, this is a new phenomenon here at dgrin. Within the last two weeks, actually, with the arrival of just three or four new users who would rather endlessly kick and scream about something rather than just accept it and move on.
I'm actually getting worried, because dozens of forum regulars have been strangely silent lately. I hope the new tone hasn't scared them away like it has some of my employees.
For the record, I think it's the mark of a respectable, confident business who can refer you to another company which might be a better fit. As a consumer, I'd like to know if there's something better out there for me, and we do recommend some of our competitors from time to time.
You're the one who linked "enterprise grade" to pbase, not I. So no, Don, I don't know what you mean.
If you refuse to accept reality - that is, that almost all of our customers like the way this works and would be angry if it changed - I can't help you. I've explained it over and over and it's still not getting through.
Don
-don
Regarding this issue, it could very well be that these security concerns were never raised before the last week or two, but that, I don't think, makes them invalid concerns. In comparison to previous complaints of the previous security scheme, they may still seem insignificant, but how is this really known? This is the first I personally heard of these security issues and if I had known about them before, I think I would have expressed my concerns before. Isn't it possible that most Smugmug members simply don't know the choice that you are saying most of them have made?
But in any case, instead of trying to debate the merits of one scheme over another, which seems to be a losing battle at this point, I'll ask something that's more important: is there any way to provide a mechanism that would allow two different security schemes, or is this simply unworkable? Maybe this has already been answered, so please forgive me if that's the case.
At this point I can only assume that your decision is final and that the point of view of those of us who would like an OPTION for a higher level of security has been decided as being too small a minority to justify the added expense. But I do hope that you continue to consider that at least some of your users would like this and that our concerns are still intelligent even if they aren't held by all smugmug users. Please consider an option for such security in the future, one that will not earn you the ire of those many users who complained before because they had a different view of how security should work. Good luck, and please don't take this as criticism, but as honest concerns from long-standing customers who are eager to help Smugmug provide the best solution for as many as possible by providing honest well-intentioned feedback.
http://wallachville.smugmug.com
http://twelveblackcodemonkeys.com
On a side note, I think this would have happened many days ago if the thread(s) hadn't gotten so aggressive. smugmug's my baby and almost my entire life - I don't react well to people slamming it, my wonderful employees, or our decisions.
Maybe I had to be hit over the head with this, but I sorta doubt it. Let's try a little civility in the future - other dgrin regulars can attest to how fast features get implemented when they're described and requested politely.
More as I get it...
Don
thanks much
-don
smugmug sucks.
Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum immane mittam
http://www.mcneel.com/users/jb/foghorn/ill_shut_up.au
Thanks for thinking of a possible solution. We'll look forward to any further description you can provide.
--John
Homepage • Popular
JFriend's javascript customizations • Secrets for getting fast answers on Dgrin
Always include a link to your site when posting a question