I would still like to see someone explain a feasable way that someone might commondeer an image key.
The point is not if it is possible or not to access the images. I´m no hacker and will not be able to. But as you said, if wi-fi is not safe, internet banking is not safe then this should be doable too.
The point is not stealing images and making print quality downloads as suggested by JoeG.
The point is that thumbnails will become publically available (technically and legally) and thumbnails are enough to identify people, behaviours, lifestyles, privacy. I can identify and recognize the baby in the JoeG´s thumbnail. For those of us who use smugmug for personal uses this is a real issue an a real concern.
...The point is that thumbnails will become publically available...
If I understanding this thread correctly the point has been made several times that the thumbnails will be no more publicly available under the proposed scheme then they are under the current one. In other words, the risk level does not change. Just the method necessary to gain unauthorized access changes.
If I understanding this thread correctly the point has been made several times that the thumbnails will be no more publicly available under the proposed scheme then they are under the current one. In other words, the risk level does not change. Just the method necessary to gain unauthorized access changes.
Am I on track here?
Actually, the way it is currently set up, if you have your gallery password protected a person would not be able to see any of your pictures (including thumbs) even if they knew the URL.
Under this new scheme, if someone knew the URL they would be able to see the thumbnail even if the gallery was password protected.
Actually, the way it is currently set up, if you have your gallery password protected a person would not be able to see any of your pictures (including thumbs) even if they knew the URL.
Under this new scheme, if someone knew the URL they would be able to see the thumbnail even if the gallery was password protected.
The point is that thumbnails will become publically available (technically and legally) and thumbnails are enough to identify people, behaviours, lifestyles, privacy. I can identify and recognize the baby in the JoeG´s thumbnail. For those of us who use smugmug for personal uses this is a real issue an a real concern.
Robert
You guys are making a mountain out of a molehill...
what are the odds of someone, ANYone randomly typing in characters into the address bar and actually getting thumbnail? Then... what are the odds of that person actually pulling up a thumb that will identify somebody they know?
It's not going to happen. SM is being honest and saying that a possibility exists... but it's a tiny tiny tiny possibility. You're more likely to get struck by lightening twice in the same spot.
Instead of freaking out that "this isn't secure"... really try to think about what would be involved in order for somebody to pull up a thumbnail. You would, quite literally, just have to start mashing keys. Before you were able to even pull up a thumbnail, SM would have already served many, many "404" pages and will have flagged the IP of the person performing the "attack". As soon as the red flag goes up, other measures are taken, like banning the IP.
And let's just say that the person is doing all this under the anonymity of a proxy (even though it's not very anonymous anyway) and get a new IP... well like any shampoo, you wash, rinse, repeat.
You'd have to guess, and it would be no easy task to try and figure it out, considering the syntax of random letters and numbers on the end of the URL:
The WVX7z-Ti on the end of that URL is generated by SmugMug when you upload your photo, its random. Someone would have to guess that, this is assuming that they have the rest of the URL.
So they would have to figure out the combo of 336486196_WVX7z-Ti... then they would have access to your thumbnails, but still not the rest of the photo.
Under this new scheme, if someone knew the URL they would be able to see the thumbnail even if the gallery was password protected.
Yes, but as it has been stated, it wouldn't be any easier to guess the random URL & image key than the password. The difference is if I guess your password, I get rewarded with an entire gallery of images (perhaps originals if you have that turned on for people with the password) and not simply a random thumbnail.
Actually, the way it is currently set up, if you have your gallery password protected a person would not be able to see any of your pictures (including thumbs) even if they knew the URL.
Under this new scheme, if someone knew the URL they would be able to see the thumbnail even if the gallery was password protected.
That´s exactly it. And yes, guessing the url is hard. Probably harder that guessing the password. But guessing the url (or chaching a copy of the non password protected thumbnail) is not an invasion of a private system while guessing a password to have access to the thumbnail IS an explicit invasion.
That is the entire discussion and why I am for keeping everything in a password protected gallery passworded (including thumbnails).
... guessing the url (or chaching a copy of the non password protected thumbnail) is not an invasion of a private system while guessing a password to have access to the thumbnail IS an explicit invasion...
Okay. Haigh has made some excellent points. This last one, about the nitty-gritty of cache, is the one I've been looking for. Again, it's an excellent point.
But, all things considered, and keeping in mind that even password protection is far from foolproof, I don't think the ability to cache a thumbnail raises the threat level enough to weigh against the advantages of the proposed scheme.
If you actually caught someone caching thumbnails, had demonstrable evidence of the impropriety AND were prepared to sue (or perhaps even press criminal charges), the current scheme MAY give you a small advantage in court. But, from what I've read here, I doubt it provides any more actual protection.
URL History
First off let me say that I think that SmugMug crew has our best interests in mind here, and that is why they started this discussion. From my perspective after reading through all the comments there are three things that I'm going to summarize in this post that make me think that having any images, even just thumbnails, available without a password is a bad idea.
One thing that naib sort of touched on, but that was never fully discussed is if someone has access to your URL history (say you connect through a proxy server at work that logs all the http requests) it is TRIVIAL for them to get their hands on the URLs that your browser has requested, including the URLs for the thumbnails. It is more difficult for them to get the gallery password (I realize that it possible for someone in between my system and the smugmug server to get my password so even a password does not provide 100% security). In the case of someone having my URL history the password is still providing a measure of protection/privacy. And even if a thumbnail isn't much good for printing etc, as Haigh as brought up it is still good enough to identify people and actions.
Additionally, as raised by Skedee and Haigh, it could be argued that using an illicitly obtained password is circumventing a legitimate security measure, which in some cases can result is harsher penalties for copyright violations etc. I don't think most reasonable people on a jury would consider a complex URL with ImageKey to be a security measure, since to most people standard URLs are pretty cryptic in and of themselves. Its kind of like the difference between living in the middle of nowhere and thinking that because you are out in the middle of nowhere that no one will come on your property, and putting up no trespassing signs. Without the signs (passwords) people can make a reasonable argument that they didn't know that they were somewhere they shouldn't be.
Lastly as was raised bkatz I can see this having contractual implications for some professional photographers. For example say that part of your contract with a youth sports league requires "All images posted online must be protected by a password." If your thumbnails are not protected by a password that could be considered a breech of your contract. Keep in mind that these people aren't necessarily technically minded, in most cases they aren't going to care about how difficult the ImageKey is to guess vs. the password, or that only the thumbnails are available without the password. When your competition says "Photographer X uses smugmug and smugmug images can't be 100% password protected" any response you may make about ImageKeys and thumbnails is going to seem like you are avoiding giving a straight answer to the non-technical people, passwords everyone understands. When they aren't comfortable with your security measures, they probably aren't going to be comfortable with contracting you to provide the service.
Not true. Thumbails today are URL protected AND password protected. With the change they become only URL protected. Even though URL protection prevents users and even robots guessing addresses, they don´t prevent caches from storing / manipulating your images. Do you know/trust everyone who runs internet caches? I don´t. I trust smugmug, not the rest of the internet.
I'm not sure I get this part. What internet caches are you referring to and how would they get the URL of your thumbnail in the first place?
Does ANYONE have a REAL example of where your password protected thumbnail might show up after this change is made? Has anyone come across one of their images from an unlisted (but not password protected) gallery somewhere else? Somewhere that it wasn't put by somebody that had access to the gallery?
It's fine to talk about possible security issues with this change, but all I see here is people worrying about something that they don't really understand and can't show an actual example of.
I expect reasonable security right now from unlisted galleries. I will use a password if I want even more security, but I have little fear that my unlisted galleries will be "breached." I can imagine some ways that could happen where a password for the gallery would prevent it. But what I can't imagine is how the URL to one of the thumbnails would realistically get listed somewhere. Now add a password to the gallery, and I REALLY can't see the problem here. Without using general concepts of "internet caches," can anyone come up with a real scenario where it could happen?
what about aggregating thumbnails in a single image
I don't know if you have evaluated this option (probably yes). One possibility to reduce the page load time, while maintaining privacy at the thumbnail level would be to:
1. aggregate all thumbnails (or bunch of them) into a single image (maybe pre-generated)
2. maintain two copies of such images, one made of thumbnails for unrestricted access and one with all thumbnails (for restricted users)
3. (optional) make the image with thumbnails for unrestricted access cachable
4. use image maps to display the right portion of thumbnail in each box
I don't have a strong opinion about this proposed change. I could be convinced either way.
But I'm bothered that some who have expressed concerns are having their opinions essentially belittled here. It seems to me this thread was posted so people could express their opinions and issues. But it sounds like from the responses that our SmugMug leaders have already decided those concerns aren't valid.
I do understand the need for those in the know to further explain stuff to those of us who aren't techies. But frankly, it doesn't seem like anyone could suggest any concern or problem that the SmugMug folks would find valid.
If you want to make the change and are going to do so no matter what, just do it and let people decide then whether they want to continue with SmugMug. If it's still just a possibility and you truly want opinions, then I think everyone should be as respectful about them as possible.
I would definitely be bothered by the same thing, but I didn't get that sense in this thread. Unless I'm mistaken (entirely possible), no SM staffers have responded in the last several pages of discussion. I'd love to hear an update from Don or someone, but it's been all users for the last couple weeks.
All ideas are valid. It's unfortunate that in reality, someone is not going to be happy with how this is resolved. It's definitely the time for everyone to express their concerns (including yours!).
I don't have a strong opinion about this proposed change. I could be convinced either way.
But I'm bothered that some who have expressed concerns are having their opinions essentially belittled here. It seems to me this thread was posted so people could express their opinions and issues. But it sounds like from the responses that our SmugMug leaders have already decided those concerns aren't valid.
I do understand the need for those in the know to further explain stuff to those of us who aren't techies. But frankly, it doesn't seem like anyone could suggest any concern or problem that the SmugMug folks would find valid.
If you want to make the change and are going to do so no matter what, just do it and let people decide then whether they want to continue with SmugMug. If it's still just a possibility and you truly want opinions, then I think everyone should be as respectful about them as possible.
I would definitely be bothered by the same thing, but I didn't get that sense in this thread. Unless I'm mistaken (entirely possible), no SM staffers have responded in the last several pages of discussion. I'd love to hear an update from Don or someone, but it's been all users for the last couple weeks.
I believe that this task got a lower priority (July was a busy period on the operations side, last but not least the Amazon S3 downtime), moreover we should consider that this is holiday period. Or maybe they give more time to customers to express their opinions.
One of the SmugMug team strengths is that they really listen to customers (especially on topics such as privacy). I'm sure they will never deploy any new feature which (slightly) reduce the privacy of the customers before giving notice (and this thread is the sign for it).
I understand that the ImageKey URLs are virtually impossible to guess, and I'm not too worried about that. However, I personally don't like the idea of any of my images being publicly viewable if in a passworded and/or hidden gallery. I don't want any images being served to anyone I haven't shared the password with.
Although I'm mildly worried about losing my "Facebook crowd," I think thumbs are too small to be worth caring. People tend to steal my images with or without the watermark on (watermark on = exposure for me), completely ignoring the thumbs.
My vote? Go for it!
Please don't mistake my blunt, pointed posts as my being "angry," "short," or "rude."
I've got a selfish reason why I'd like to see thumbs served fast and unprotected. I have a mini-slideshow that I liked to run for our school's website, but last year I was required to password protect my school photos - no more mini-slideshow. But with the thumb-size available, I could get the slideshow going again. I don't think that the password requirement, in my case, applies to images that small.
Is this why a page of All Thumbs with a mere 43 photos takes so freaking long to load, when compared to the same 43 photos hosted at imageevent.com? (And actually the thumbs at imageevent are bigger?)
thmbs are loading retarded-slow right now.... been ~ 4 minutes and 119 thumbs have not finished loading yet... still about 30 to go.
This made me laugh, as politically-incorrect as it is. Heh, "retarded-slow". [In my head I'm hearing Jimmy Fallon and Rachel Dratch (Sully and Denise) call each other "retarded" on SNL with their thick Bahstun accents. "You are!"]
Sounds like a GREAT plan to me. I'm based in Europe (Netherlands) and Smugmug is indeed not as fast as I would like it to be. I already noticed that it takes longest to load the Thumbnails on a page, so any fix for that is VERY welcome.
But I also noticed that it takes a very long time to generate all the random thumbnails for all my galleries and categories. Especially if you have a lot of galleries under a category, this can take forever.
Would this change also solve that problem?
And if not, are you also considering an option to set fixed thumbnails for galleries (I know I can manually select a feature photo but it would take ages to set feature photo's on all pf my existing galleries)
If I understand correctly, thumbs for a passworded gallery would be available to anyone who knew the right URL (with ImageKey).
I understand that the ImageKey URLs are virtually impossible to guess, and I'm not too worried about that. However, I personally don't like the idea of any of my images being publicly viewable if in a passworded and/or hidden gallery. I don't want any images being served to anyone I haven't shared the password with.
My $.02 FWIW...keep up the great work, gals & guys!
I gotta agree with this concern. This goes to the most basic reason for having a private/password protected gallery. The size of the image isn't what someone wants to protect in a private gallery, it is access to the image PERIOD. What could be more fundamental?
For me yes - for all of smugmug's customers, no.
For me personally, I would buy into the already proposed idea. I don't need to worry about the day that someone:
A) Knows my thumbnails exist and wants them. Cracks the key to each thumbnail they want (let's say 1, for example).
C) Counter-acts Smugmugs protection of those keys.
Because the day that they would have guessed my password would have far sooner arrived than the day that the above criteria was met.
However, when it comes to these things I have listed below... they could really hurt some businesses.
1) Security policy imposed on you by clients (schools policy of password protection).
2) Non-technical clients (our customers) inability to understand the real security implications.
3) The weakening of a prosecution case (should you ever need to take someone to court over something like this).
If this change only impacted me, I'd say go right ahead smugmug. But it doesn't, so I can't buy into it, knowing the way it may impact other smugmug customers' businesses.
I find the idea of a 100x100 thumbnail in court as an 'exhibit a' quite amusing though :P.
BaldyRegistered Users, Super ModeratorsPosts: 2,853moderator
edited August 8, 2008
Once upon a time I worked for an Internet company that chose to do a bad thing in order to give its customers comfort with credit-card security: we allowed them to call us with their card at the last step of the shopping cart. They weren't comfortable with their credit card being passed across the Internet.
I cringed with every call because phone lines aren't as secure as encrypted SSL across the net, and a phone operator could get their number, and it ended up in the same place anyway -- on a computer ultimately connected to the net.
This situation reminds me of those days. Objectively, guessing just one thumbnail image from our keys probably averages 1,000 times harder than guessing the password that unlocks the entire album. And a person gets the password, the same password all users get...
I know, it's a perception thing and we really respect that
Comments
The point is not if it is possible or not to access the images. I´m no hacker and will not be able to. But as you said, if wi-fi is not safe, internet banking is not safe then this should be doable too.
The point is not stealing images and making print quality downloads as suggested by JoeG.
The point is that thumbnails will become publically available (technically and legally) and thumbnails are enough to identify people, behaviours, lifestyles, privacy. I can identify and recognize the baby in the JoeG´s thumbnail. For those of us who use smugmug for personal uses this is a real issue an a real concern.
Robert
Am I on track here?
Actually, the way it is currently set up, if you have your gallery password protected a person would not be able to see any of your pictures (including thumbs) even if they knew the URL.
Under this new scheme, if someone knew the URL they would be able to see the thumbnail even if the gallery was password protected.
And how does someone get the url?
You guys are making a mountain out of a molehill...
what are the odds of someone, ANYone randomly typing in characters into the address bar and actually getting thumbnail? Then... what are the odds of that person actually pulling up a thumb that will identify somebody they know?
It's not going to happen. SM is being honest and saying that a possibility exists... but it's a tiny tiny tiny possibility. You're more likely to get struck by lightening twice in the same spot.
Instead of freaking out that "this isn't secure"... really try to think about what would be involved in order for somebody to pull up a thumbnail. You would, quite literally, just have to start mashing keys. Before you were able to even pull up a thumbnail, SM would have already served many, many "404" pages and will have flagged the IP of the person performing the "attack". As soon as the red flag goes up, other measures are taken, like banning the IP.
And let's just say that the person is doing all this under the anonymity of a proxy (even though it's not very anonymous anyway) and get a new IP... well like any shampoo, you wash, rinse, repeat.
◇ Photos | Blogs | Twitter | MySpace | Facebook ◇
You'd have to guess, and it would be no easy task to try and figure it out, considering the syntax of random letters and numbers on the end of the URL:
http://www.timnosenzo.com/photos/336486196_WVX7z-Ti.jpg
The WVX7z-Ti on the end of that URL is generated by SmugMug when you upload your photo, its random. Someone would have to guess that, this is assuming that they have the rest of the URL.
So they would have to figure out the combo of 336486196_WVX7z-Ti... then they would have access to your thumbnails, but still not the rest of the photo.
Yes, but as it has been stated, it wouldn't be any easier to guess the random URL & image key than the password. The difference is if I guess your password, I get rewarded with an entire gallery of images (perhaps originals if you have that turned on for people with the password) and not simply a random thumbnail.
That´s exactly it. And yes, guessing the url is hard. Probably harder that guessing the password. But guessing the url (or chaching a copy of the non password protected thumbnail) is not an invasion of a private system while guessing a password to have access to the thumbnail IS an explicit invasion.
That is the entire discussion and why I am for keeping everything in a password protected gallery passworded (including thumbnails).
Robert
But, all things considered, and keeping in mind that even password protection is far from foolproof, I don't think the ability to cache a thumbnail raises the threat level enough to weigh against the advantages of the proposed scheme.
If you actually caught someone caching thumbnails, had demonstrable evidence of the impropriety AND were prepared to sue (or perhaps even press criminal charges), the current scheme MAY give you a small advantage in court. But, from what I've read here, I doubt it provides any more actual protection.
I'm still for the proposed scheme.
First off let me say that I think that SmugMug crew has our best interests in mind here, and that is why they started this discussion. From my perspective after reading through all the comments there are three things that I'm going to summarize in this post that make me think that having any images, even just thumbnails, available without a password is a bad idea.
One thing that naib sort of touched on, but that was never fully discussed is if someone has access to your URL history (say you connect through a proxy server at work that logs all the http requests) it is TRIVIAL for them to get their hands on the URLs that your browser has requested, including the URLs for the thumbnails. It is more difficult for them to get the gallery password (I realize that it possible for someone in between my system and the smugmug server to get my password so even a password does not provide 100% security). In the case of someone having my URL history the password is still providing a measure of protection/privacy. And even if a thumbnail isn't much good for printing etc, as Haigh as brought up it is still good enough to identify people and actions.
Additionally, as raised by Skedee and Haigh, it could be argued that using an illicitly obtained password is circumventing a legitimate security measure, which in some cases can result is harsher penalties for copyright violations etc. I don't think most reasonable people on a jury would consider a complex URL with ImageKey to be a security measure, since to most people standard URLs are pretty cryptic in and of themselves. Its kind of like the difference between living in the middle of nowhere and thinking that because you are out in the middle of nowhere that no one will come on your property, and putting up no trespassing signs. Without the signs (passwords) people can make a reasonable argument that they didn't know that they were somewhere they shouldn't be.
Lastly as was raised bkatz I can see this having contractual implications for some professional photographers. For example say that part of your contract with a youth sports league requires "All images posted online must be protected by a password." If your thumbnails are not protected by a password that could be considered a breech of your contract. Keep in mind that these people aren't necessarily technically minded, in most cases they aren't going to care about how difficult the ImageKey is to guess vs. the password, or that only the thumbnails are available without the password. When your competition says "Photographer X uses smugmug and smugmug images can't be 100% password protected" any response you may make about ImageKeys and thumbnails is going to seem like you are avoiding giving a straight answer to the non-technical people, passwords everyone understands. When they aren't comfortable with your security measures, they probably aren't going to be comfortable with contracting you to provide the service.
I'm not sure I get this part. What internet caches are you referring to and how would they get the URL of your thumbnail in the first place?
It's fine to talk about possible security issues with this change, but all I see here is people worrying about something that they don't really understand and can't show an actual example of.
I expect reasonable security right now from unlisted galleries. I will use a password if I want even more security, but I have little fear that my unlisted galleries will be "breached." I can imagine some ways that could happen where a password for the gallery would prevent it. But what I can't imagine is how the URL to one of the thumbnails would realistically get listed somewhere. Now add a password to the gallery, and I REALLY can't see the problem here. Without using general concepts of "internet caches," can anyone come up with a real scenario where it could happen?
Dave
I don't know if you have evaluated this option (probably yes). One possibility to reduce the page load time, while maintaining privacy at the thumbnail level would be to:
1. aggregate all thumbnails (or bunch of them) into a single image (maybe pre-generated)
2. maintain two copies of such images, one made of thumbnails for unrestricted access and one with all thumbnails (for restricted users)
3. (optional) make the image with thumbnails for unrestricted access cachable
4. use image maps to display the right portion of thumbnail in each box
this idea came up to my mind after I recalled having read this set of yahoo rules: http://developer.yahoo.com/performance/rules.html#num_http
in this way you would reduce the number of HTTP requests while preserving privacy at the thumbnails level.
Cheers, Sergio
But I'm bothered that some who have expressed concerns are having their opinions essentially belittled here. It seems to me this thread was posted so people could express their opinions and issues. But it sounds like from the responses that our SmugMug leaders have already decided those concerns aren't valid.
I do understand the need for those in the know to further explain stuff to those of us who aren't techies. But frankly, it doesn't seem like anyone could suggest any concern or problem that the SmugMug folks would find valid.
If you want to make the change and are going to do so no matter what, just do it and let people decide then whether they want to continue with SmugMug. If it's still just a possibility and you truly want opinions, then I think everyone should be as respectful about them as possible.
All ideas are valid. It's unfortunate that in reality, someone is not going to be happy with how this is resolved. It's definitely the time for everyone to express their concerns (including yours!).
I believe that this task got a lower priority (July was a busy period on the operations side, last but not least the Amazon S3 downtime), moreover we should consider that this is holiday period. Or maybe they give more time to customers to express their opinions.
One of the SmugMug team strengths is that they really listen to customers (especially on topics such as privacy). I'm sure they will never deploy any new feature which (slightly) reduce the privacy of the customers before giving notice (and this thread is the sign for it).
Let's wait for them to resume this task.
Sergio
ADDED: just went back in the history of this thread and found a post from the SmugMug CEO 3 days old
Not to nit-pick but it was June-25
uhm... ok, then the theory of operations heavy-load comes back
Cheers, Sergio
Although I'm mildly worried about losing my "Facebook crowd," I think thumbs are too small to be worth caring. People tend to steal my images with or without the watermark on (watermark on = exposure for me), completely ignoring the thumbs.
My vote? Go for it!
I'm generally happy, tall, and fuzzy on the inside.www.NickensPhotography.com
Is this why a page of All Thumbs with a mere 43 photos takes so freaking long to load, when compared to the same 43 photos hosted at imageevent.com? (And actually the thumbs at imageevent are bigger?)
Then yes, PLEASE do this.
This made me laugh, as politically-incorrect as it is. Heh, "retarded-slow". [In my head I'm hearing Jimmy Fallon and Rachel Dratch (Sully and Denise) call each other "retarded" on SNL with their thick Bahstun accents. "You are!"]
But I also noticed that it takes a very long time to generate all the random thumbnails for all my galleries and categories. Especially if you have a lot of galleries under a category, this can take forever.
Would this change also solve that problem?
And if not, are you also considering an option to set fixed thumbnails for galleries (I know I can manually select a feature photo but it would take ages to set feature photo's on all pf my existing galleries)
thanks!
Raul
I gotta agree with this concern. This goes to the most basic reason for having a private/password protected gallery. The size of the image isn't what someone wants to protect in a private gallery, it is access to the image PERIOD. What could be more fundamental?
For me personally, I would buy into the already proposed idea. I don't need to worry about the day that someone:
C) Counter-acts Smugmugs protection of those keys.
However, when it comes to these things I have listed below... they could really hurt some businesses.
2) Non-technical clients (our customers) inability to understand the real security implications.
3) The weakening of a prosecution case (should you ever need to take someone to court over something like this).
I find the idea of a 100x100 thumbnail in court as an 'exhibit a' quite amusing though :P.
I cringed with every call because phone lines aren't as secure as encrypted SSL across the net, and a phone operator could get their number, and it ended up in the same place anyway -- on a computer ultimately connected to the net.
This situation reminds me of those days. Objectively, guessing just one thumbnail image from our keys probably averages 1,000 times harder than guessing the password that unlocks the entire album. And a person gets the password, the same password all users get...
I know, it's a perception thing and we really respect that