I noticed being a pro-user that smugmug doesn;t really use domain hosting, but uses domain masking.

When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.

Now for more fun, try changing the picture number
17971305 to 17971306

http://www.xo-studios.com/photos/17971306-M.jpg

Even tho the domain name says XO-Studios, that is not my picture.

Sometimes, my pictures get sequantial numbers, sometimes they don't. (pending traffic)

Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.

I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed, as I can live with my pictures not being protected (i.e. I simply don't use share anymore) but I cannot live with others pictures showing under my domain name.

This technique btw is called domain masking, not domain hosting
example:
http://www.smugmug.com/photos/17971305-M.jpg
is identical to
http://www.xo-studios.com/photos/17971305-M.jpg

I am convinced that there should be a simpleway to block access to pictures that are not in any of my galleries, however so far smugmug tech support gives a 'not at home/not our problem' type of response.

FWIW,
YMMV,

XO,

Nice first post. MMDV (My Mileage Did Vary)

First, I doubt they said "too bad, so sad" or gave you a "not at home, not our problem" answer. What probably happened is that they just didn't tell you what you wanted to hear.

Anyway, I have a pro account, and the same thing does not happen to me. When I try the second URL with either of the hostnames that point to my smugmug account, I get redirected to the hostname of the photo's owner.

Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.

so... ummmm... solution = take better pictures so peopld don't "get bored"??

yes no?

haha... only messin. I don't think support gave you the big middle finger... it's not their style.

I noticed being a pro-user that smugmug doesn;t really use domain hosting, but uses domain masking.

Actually, you're wrong on both counts. Smugmug doesn't do domain hosting - you need your own DNS servers, either through your registrar or other, to do your hosting. It looks like you have this.

We also don't do DNS masking.

Instead, we host your photo sharing and make it viewable at your fully-qualified hostname on your domain. It's like hosting a website, but not like hosting domains.


When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.

Now for more fun, try changing the picture number
17971305 to 17971306

http://www.xo-studios.com/photos/17971306-M.jpg

Even tho the domain name says XO-Studios, that is not my picture.

You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!

I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed,

so far smugmug tech support gives a 'not at home/not our problem' type of response.

As the CEO, I take this very seriously. Can you please let me know what customer service reps you were dealing with so I can check their logs and see what went wrong? You should never receive answers like either of the above.

smugmug is devoted to five-star customer service across the board and I'm terribly sorry if we haven't met up to that standard. We'll make it right, and knowing who you were dealing with will help a great deal.

Thanks!

Don

You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!

I own a small web services business and we offer forwarding and masking to all of the folks registering domain names with us. It's not a real biggie, but do please let us know when this is fixed as it would be very helpful to have this straightened out. If I understand this correctly, all of my clients that forward with masking to smugmug using my dns servers are affected by this bug? Or is this something kookier than that? If I am off base here, just kick me in the teeth. I would also like to say that in my time here at smugmug I have been impressed with smugmug's professional support staff. bravo

-don

<SNIP>
As the CEO, I take this very seriously. Can you please let me know what customer service reps you were dealing with so I can check their logs and see what went wrong? You should never receive answers like either of the above.

<SNIP>
Don
Don,

Thanks for the quick response, for more feedback, and the answer/email you were looking for please email me offlist (XO@XO-studios.com).

To the rest of you, I did get a quick response, and no I did not literary get told toobad/too sad, rather I got an answer that stated, it was just the way things were.

XO,

You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!
Don, I'm experiencing the same behavior on my smugmug subdomain. Specifically, I go to one of my private albums, click on one of the images so that it comes up in a web browser with the url being the jpg file itself. Then I log out and try to refresh that page and it still comes up. I then try incrementing the digits in the file name and come up with additional images, ones that I know could not in my browser's cache, but which I know are also in private albums... I tried playing around with some settings and disabled external links but that didn't seem to do anything...

Thanks,

Levi

Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.

--John

Don, I'm experiencing the same behavior on my smugmug subdomain. Specifically, I go to one of my private albums, click on one of the images so that it comes up in a web browser with the url being the jpg file itself. Then I log out and try to refresh that page and it still comes up. I then try incrementing the digits in the file name and come up with additional images, ones that I know could not in my browser's cache, but which I know are also in private albums... I tried playing around with some settings and disabled external links but that didn't seem to do anything...

Thanks,

Levi

Additionally, if you want a gallery to appear on the home page, you can first feature the gallery, and then make it private. In this way, the category it resids in (if it's alone) will no show up, but people can get directly to it.

I also do not believe that the above scenario is a bug.

-w

Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.

--John

Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
You share a picture as a teaser.
http://xxx.yyyyy.zzz/photos/123456-m.jpg

Someone is smart enough to figure out that
http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
Or as the earlier bug said it leads to a picture of someone elses gallerie.

I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

FWIW,

XO,

Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
You share a picture as a teaser.
http://xxx.yyyyy.zzz/photos/123456-m.jpg

Someone is smart enough to figure out that
http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
Or as the earlier bug said it leads to a picture of someone elses gallerie.

I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

FWIW,

XO,XO, you seem correct on your opinion of the bug you detailed. I DO NOT want any of part of this sort of easy to figure out money loosing bug. It certainly could lead to someone loosing a bunch of images not on his own accord, and that is not cool for sure.

-don

I, myself, don't expect marking a gallery private to protect it in the way you do. But, I do expect password protection on the gallery to protect ANY access to the gallery or ANY photos in the gallery without first entering the password.

I just ran a test and a password protected gallery is ONLY protected at the top level gallery level. If you have an URL to a photo or you guess an URL to a photo, you get to see it without providing the password. That seems like a serious security bug. You should be required to enter a password before viewing ANY photos in a password protected gallery. BTW, I don't have a custom domain so this problem exists even without that.

So XO-Studios, I test this because I thought a password protected gallery should provide the protection you seem to be interested in, but alas, that doens't currently work.

--John

Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
You share a picture as a teaser.
http://xxx.yyyyy.zzz/photos/123456-m.jpg

Someone is smart enough to figure out that
http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
Or as the earlier bug said it leads to a picture of someone elses gallerie.

I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

FWIW,

XO,

I just ran a test and a password protected gallery is ONLY protected at the top level gallery level. If you have an URL to a photo or you guess an URL to a photo, you get to see it without providing the password.You're right, password protection works only on album level, so you have to turn off external linking and then nobody should be able to access them without a password.

Sebastian

You're right, password protection works only on album level, so you have to turn off external linking and then nobody should be able to access them without a password.

Sebastian

Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

XO,

<SNIP>
So XO-Studios, I test this because I thought a password protected gallery should provide the protection you seem to be interested in, but alas, that doens't currently work.

--John
Which was exactly what I emailed in my original email to smugmug tech support.

1) picture url's are not protected
2) other peoples pics will show under my domain
3) passwords do not protect individual files.

XO,

I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

--John

Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

XO,

Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug. The way I would do this is to just create one gallery for public consumption and one for private. XOXO's concerns are not exactly mine. My concern is that some clients do not want their pictures accessible by anyone who has some spare time and likes playing with url's. Also, because some private folders are set to allow full-size access, that means theoretically someone could come steal your full-size image files... I just tried this by getting the "original" image file url from my private non-external link-enabled gallery, logging out, incrementing the digits and got additional original files from that gallery. I Incremented to higher degree and got original images from other peoples' galleries.

So as far as I'm concerned, having stuff show up under my url doesn't mean anything because the people who are accessing these are already fooling around and so should know that they might get something unexpected. What I'm MUCH more concerned about is the privacy of my clients (and my OWN, friends', and family's privacy), as well as the possibility that original images could be stolen...

Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

XO,Sorry for not testing it before writing. I can confirm the bug with direct URL access. Even cleared my browsers cache.
Maybe there is a delay before the settings work completely?

Sebastian

I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

--John

This is by design and not a bug. Sorry!

Don

Sorry for not testing it before writing. I can confirm the bug with direct URL access. Even cleared my browsers cache.
Maybe there is a delay before the settings work completely?

Sebastian

External linking, by definition, only works if you're coming to see the photo from an external link.

If you're coming from a smugmug link, it will work fine.

This, too, is by design - otherwise you wouldn't be able to see *any* of those photos at all, all access would be shut off.

Don

______________
Quote:
Originally Posted by jfriend
I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

--John
------------
onethumb's reply:

"This is by design and not a bug. Sorry!"

Don
-------------
_________________________________

Any chance of beefing up the security on password protected galleries, Don? Other sites around do protect you from direct links or guessed url's when you enable password protection. The password protection system here at smugmug works sorta like pbase's hidden galleries. Not protected, just sorta hidden. Pbase is one site that does stop dlinking and guessing urls with it's password protection scheme. Maybe you guys can to get this level of protection here at smugmug in the not-to-distant future?

-don

How on smugmug are you supposed to protect/limit the viewing of an image URL to a specific audience so that there is no way for the general public to get to your image without knowing a password?

If I understand my own testing and your intent, password protection only requires the password if the user comes in the front door by browsing to the home page of the gallery. But, it doesn't protect against any form of individual access to the same images. Is there a reason that you'd want it to work that way? Or just some practical limitations that have led to it not being protected from this kind of access?

I'm asking to try to understand if I don't understand how you intend for a customer to solve this privacy issue (e.g. there's another way to do it)? Or, if you don't understand what we're asking for and why it seems important to us?

This is by design and not a bug. Sorry!

Don

Any chance of beefing up the security on password protected galleries, Don? Other sites around do protect you from direct links or guessed url's when you enable password protection. The password protection system here at smugmug works sorta like pbase's hidden galleries. Not protected, just sorta hidden. Pbase is one site that does stop dlinking and guessing urls with it's password protection scheme. Maybe you guys can to get this level of protection here at smugmug in the not-to-distant future?

Smugmug has more than 19,000,000 photos online. "Guessed URLs" are pretty dang tough.

When we built the passworded feature, it intially protected images entirely from passworded links, and our customers blew up at us. They were furious when they'd accidentally link a photo to a forum post, blog entry, or the like and it wouldn't work. Our customer support costs shot through the roof and we were innundated with complaints.

We quickly switched it to allow linking to the images and everyone was happy. At least, until now. :)

I have a *really* hard time understanding how guessing your photos among 19,000,000 other photos constitutes a security risk. The only way they can even get one image URL from a given gallery is if you choose to feature a photo - not something I recommend if you're security conscious, and need I remind you, something that wouldn't be allowed at all if the password scheme applied to images as well as just galleries.

We'll continue to think about it and revisit it from time-to-time, as we do with all smugmug product decisions, but I really doubt it'll get changed.

Thanks for the feedback, though. Without it, smugmug wouldn't be the great place it is.

Don

How on smugmug are you supposed to protect/limit the viewing of an image URL to a specific audience so that there is no way for the general public to get to your image without knowing a password?

If I understand my own testing and your intent, password protection only requires the password if the user comes in the front door by browsing to the home page of the gallery. But, it doesn't protect against any form of individual access to the same images. Is there a reason that you'd want it to work that way? Or just some practical limitations that have led to it not being protected from this kind of access?

I'm asking to try to understand if I don't understand how you intend for a customer to solve this privacy issue (e.g. there's another way to do it)? Or, if you don't understand what we're asking for and why it seems important to us?

If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

Don

You get to decide how important you think this is for smugmug's business and credibility. It seems to me like a problem you should think some more about.

I do understand the balance between security and convenience. I deal with that balance all the time in the software and architecture design work I do in my job. At the same time, security features come with certain expectations and it's generally a pretty bad thing for a company when their actual security doesn't match the common expectations, no matter what convenience you are trying to offer. In fact, in our business, we're better off under-promising the security than over-promising it. If the customer actually wants the convenience they are enjoying rather than the real security, then the feature needs to be presented in a different way that doesn't imply security that isn't really being delivered. On the other hand, if the customer wants the security that's being implied, then that security should be delivered, not "sort-of" delivered.

I myself use some of the security conveniences you've built in. For example, I use "private" galleries, but put URLs to specific photos into public postings. I didn't really know how a private gallery should work (I had no preset expectations), but I tried it and it solved my problem. I want to be able to post specific images, but not allow people to browse the whole gallery from my home page. That's useful to me. But, a password protected gallery is a different beast. For "most" people, that will set an expectation that one cannot view the content without supplying the password no matter how you try to access it.

I agree that it's nearly impossible for someone to find a specific photo of mine by guessing an URL. That is like trying to find a needle in a haystack.

But, on the other hand, it's really, really easy to find lots of other people's photos by just changing numbers in the URL. Here's a progression I followed:

I started with a public URL of mine:
http://jfriend.smugmug.com/photos/15410531-M-1.jpg

I then changed a few digits in the number and got someone else's image here:
http://jamescho.smugmug.com/photos/15410743-M-1.jpg

I twiddled a few more numbers here and got this image:
http://butler.smugmug.com/photos/15410756-M-1.jpg

I twiddled a few more numbers and got this image:
http://freiburg1971.smugmug.com/photos/15410656-M-1.jpg

Further, this does not appear to be a sparse numeric space that makes it difficult to guess numbers that land on photos. In fact, every single number I tried around where I started landed on a photo.

I have absolutely no idea whether these images are supposed to be public or not. Unless you have hardly any password protected galleries on smugmug, it should be fairly easy for me to find some content that is meant to be password protected. And, once you find one thing you like you can probably find the rest of the images in the gallery (assuming they were uploaded at the same time) because it looks like the numbers will be in close proximity to the first one you find.

I did find out that if originals are turned off in a gallery that they cannot be accessed with a guessed URL so that seems to work.

My summary is that I'd suggest you think about this some more. I think you are implying a security feature that isn't being delivered (which is usually a bad thing). I would suggest that you either change the user expectation for the password feature by presenting/describing it differently or make it really work. You could even solve the backward compatibility problem by letting the user decide with a preference whether a password protected gallery should allow un-authenticated direct linking or not.

I hope I don't sound like I'm trying to be difficult here. I am generally pleased with smugmug and have referred many folks here (39 referral credits so far).

--John

If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

Don

External linking, by definition, only works if you're coming to see the photo from an external link.

If you're coming from a smugmug link, it will work fine.

This, too, is by design - otherwise you wouldn't be able to see *any* of those photos at all, all access would be shut off.Don, thanks for the answear. This all is perfectly right if external linking is turned on.
When external linking is off and access a picture URL directly with my browser I shouldn't be allowed to see it, because the referrer-field should be empty then and that should be a sign for SM not to show the picture. Same thing when the picture is linked in a forum, then SM will get the referrer of the forum and therefore not allow to view the picture.
This should not interefere with gallery browsing, because then my browser would have the SM-domain as referrer.

I thought this is the way it works and for my understanding the differenciation between the cases should be not that hard. What am I missing?

Sebastian

If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

Don
OK here we go, as this is extremely easy.

www.xo-studios.com/photos/19184525-M.jpg (http://www.xo-studios.com/photos/19184525-M.jpg)

Hi there Aunt Margie, I was in a theatre production, here is a backstage picture.

Aunt Margie or one of the cousins gets bored (picture number -1)

www.xo-studios.com/photos/19184524-M.jpg (http://www.xo-studios.com/photos/19184524-M.jpg)

I am not sure about your Aunt Margie, but mine definitely wasn't supposed to see that last picture. Quite often my pictures uploaded as a batch have sequantial numbers.

Both pictures are in a password protected galllery that is private. Originals and larges switched off.

XO,

If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

Don
For X=1-999999 do
image_url="http://www.smugmug.com/photos/"+X+"-M.jpg"
if exist(image_url) save(image_url)
X=X+1

I believe you get where I am getting at.

XO,

OK here we go, as this is extremely easy.

www.xo-studios.com/photos/19184525-M.jpg (http://www.xo-studios.com/photos/19184525-M.jpg)

Hi there Aunt Margie, I was in a theatre production, here is a backstage picture.

Aunt Margie or one of the cousins gets bored (picture number -1)

www.xo-studios.com/photos/19184524-M.jpg (http://www.xo-studios.com/photos/19184524-M.jpg)

XO, those url's are not producing images when I go to them??

For X=1-999999 do
image_url="http://www.smugmug.com/photos/"+X+"-M.jpg"
if exist(image_url) save(image_url)
X=X+1

I believe you get where I am getting at.

XO,
I was about to post something similar. Guessing urls may or may not be an easy thing to do, but I can very quickly type up an ASP app that creates pages of thumbnail images by just incrementing through the digits in the image files and linking those thumbnails to the larger version of the image. This way I can easily browse through thousands of images and pick ones I may be interested in. No, I may not be able to pinpoint specific users' pictures, but I can certainly pick and choose images that I might want to take a closer look at very easily.

I'm not sure why users were initially irate that they couldn't link to images in PRIVATE galleries, but considering the unlimited storage space, it seems silly why they couldn't just include the photos they want to publicly link to in another gallery that is public. But whatever the case is, I think there needs to be some way of locking images down so that they can't be retreived by "guessing" (or more likely "browsing"). How this is done doesn't concern me as much as that it is done and that instructions to do so are created and given to us...

I was about to post something similar. Guessing urls may or may not be an easy thing to do, but I can very quickly type up an ASP app that creates pages of thumbnail images by just incrementing through the digits in the image files and linking those thumbnails to the larger version of the image. This way I can easily browse through thousands of images and pick ones I may be interested in. No, I may not be able to pinpoint specific users' pictures, but I can certainly pick and choose images that I might want to take a closer look at very easily.

I'm not sure why users were initially irate that they couldn't link to images in PRIVATE galleries, but considering the unlimited storage space, it seems silly why they couldn't just include the photos they want to publicly link to in another gallery that is public. But whatever the case is, I think there needs to be some way of locking images down so that they can't be retreived by "guessing" (or more likely "browsing"). How this is done doesn't concern me as much as that it is done and that instructions to do so are created and given to us...This type of scenario is my biggest concercn. It's just like educated url guessing, right Don? My biggest piracy worries are with the "professional" pirates strip mining a whole library of photos. I have not knowingly run into this animal yet, but I would not want to run in to him or her in the future either. I also would like think your customers should be able to accept that they simply can not direct link to password protected photos, that is just common sense. If someone can't take a simple "you can't dlink to photos in password protected galleries" note from customer support, I would not have a clue as to why not.:dunno Everyone should be thankful for not being able to dlink to password protected images. I really do think reconsidering the stronger password protection issue here at smugmug is worth your time and troubles. I realize this is a tough and delicate area, but password protection seems to be a pretty strong term for images that are not really password protected.

-don

This is exactly my concern as well. It's just like educated url guessing, right Don? My biggest piracy worries are with the "professional" pirates strip mining a whole library of photos. I have not knowingly run into this animal yet, but I would not want to run in to him or her in the future either. I also would like think your customers should be able to accept that they simply can not direct link to password protected photos, that is just common sense. If someone can't take a simple "you can't dlink to photos in password protected galleries" note from cutomer support, I would not have a clue as to why not.:dunno Everyone should be thankful for not being able to dlink to password protected images. I really do think reconsidering the stronger password protection issue here at smugmug is worth your time and troubles. I realize this is a tough and delicate area, but password protection seems to be a pretty strong term for images that are not really password protected.

-don

It may seem like common sense to you, but I assure you, it's not to most of our customers.

We often make decisions "for the greater good" and this is one of those times. You CAN link to Passworded galleries for all sorts of good reasons. One is that you may want to post a photo to a forum and not have it publicly displayed on your site. It happens all the time, this particular need.

I'm sorry, but I've heard everyone's arguments and they just don't carry enough weight. We got, until this thread, ZERO complaints about this issue. Not few, literally none. When Passworded galleries worked differently, we got lots of complaints. In that light, this really isn't a difficult decision. We don't purport to be the end-all-be-all of security and privacy, and we like it that way. Easy trumps Security at smugmug if there's a collision. We generally try to do both extremely well, but this is one of those cases. If that's a problem, you might want to consider going elsewhere.

As I said, we'll continue to think about the feature and talk about it amongst ourselves, but merely "guessing" a URL by incrementing or guessing ImageIDs isn't scary enough or important enough to work on. As long as your whole gallery is passworded, there's not even a starting image to start guessing from. Finally, if you use any of the "modern" smugmug uploaders, such as Star*Explorer, your photos won't even be sequential. They'll be interleaved with other people's photos.

I'm closing this thread since it's degenerated into me asking "well, how do you get passworded images without guessing" and replies that basically say "here's how to guess them". Open another one if you have something important to add that's not related to guessing image #s.

Don