Domain Hosting vs Domain Masking

XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
edited April 8, 2005 in SmugMug Support
I noticed being a pro-user that smugmug doesn;t really use domain hosting, but uses domain masking.

When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.

Now for more fun, try changing the picture number
17971305 to 17971306

http://www.xo-studios.com/photos/17971306-M.jpg

Even tho the domain name says XO-Studios, that is not my picture.

Sometimes, my pictures get sequantial numbers, sometimes they don't. (pending traffic)

Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.

I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed, as I can live with my pictures not being protected (i.e. I simply don't use share anymore) but I cannot live with others pictures showing under my domain name.

This technique btw is called domain masking, not domain hosting
example:
http://www.smugmug.com/photos/17971305-M.jpg
is identical to
http://www.xo-studios.com/photos/17971305-M.jpg

I am convinced that there should be a simpleway to block access to pictures that are not in any of my galleries, however so far smugmug tech support gives a 'not at home/not our problem' type of response.

FWIW,
YMMV,

XO,
You can't depend on your eyes when your imagination is out of focus.
Mark Twain


Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
«1

Comments

  • flyingpylonflyingpylon Registered Users Posts: 260 Major grins
    edited April 6, 2005
    Nice first post. MMDV (My Mileage Did Vary)

    First, I doubt they said "too bad, so sad" or gave you a "not at home, not our problem" answer. What probably happened is that they just didn't tell you what you wanted to hear.

    Anyway, I have a pro account, and the same thing does not happen to me. When I try the second URL with either of the hostnames that point to my smugmug account, I get redirected to the hostname of the photo's owner.
  • LiquidOpsLiquidOps Registered Users Posts: 835 Major grins
    edited April 6, 2005
    XO-Studios wrote:
    Now I personally stopped using sharing, as ppl get bored and mess with the url and get to see others pictures, under my domain name.
    so... ummmm... solution = take better pictures so peopld don't "get bored"??

    yes no?

    haha... only messin. I don't think support gave you the big middle finger... it's not their style.
    Wandering Through Life Photography
    MM Portfolio

    Canon 30D | Canon 50mm f/1.8 | Tamron 28-75mm f/2.8 | Canon Speedlite 580ex
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited April 6, 2005
    XO-Studios wrote:
    I noticed being a pro-user that smugmug doesn;t really use domain hosting, but uses domain masking.

    Actually, you're wrong on both counts. Smugmug doesn't do domain hosting - you need your own DNS servers, either through your registrar or other, to do your hosting. It looks like you have this.

    We also don't do DNS masking.

    Instead, we host your photo sharing and make it viewable at your fully-qualified hostname on your domain. It's like hosting a website, but not like hosting domains.

    XO-Studios wrote:
    When I share a picture http://www.xo-studios.com/photos/17971305-M.jpg, even tho this picture might be in a protected gallerie.

    Now for more fun, try changing the picture number
    17971305 to 17971306

    http://www.xo-studios.com/photos/17971306-M.jpg

    Even tho the domain name says XO-Studios, that is not my picture.

    You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!
    XO-Studios wrote:
    I have contacted tech support at smugmug and their reaction is 'too bad, too sad' which to me means too sad indeed,
    XO-Studios wrote:
    so far smugmug tech support gives a 'not at home/not our problem' type of response.

    As the CEO, I take this very seriously. Can you please let me know what customer service reps you were dealing with so I can check their logs and see what went wrong? You should never receive answers like either of the above.

    smugmug is devoted to five-star customer service across the board and I'm terribly sorry if we haven't met up to that standard. We'll make it right, and knowing who you were dealing with will help a great deal.

    Thanks!

    Don
  • SystemSystem Registered Users Posts: 8,186 moderator
    edited April 6, 2005
    onethumb wrote:

    You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!
    I own a small web services business and we offer forwarding and masking to all of the folks registering domain names with us. It's not a real biggie, but do please let us know when this is fixed as it would be very helpful to have this straightened out. If I understand this correctly, all of my clients that forward with masking to smugmug using my dns servers are affected by this bug? Or is this something kookier than that? If I am off base here, just kick me in the teeth. I would also like to say that in my time here at smugmug I have been impressed with smugmug's professional support staff. bravo

    -don
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 6, 2005
    onethumb wrote:
    <SNIP>
    As the CEO, I take this very seriously. Can you please let me know what customer service reps you were dealing with so I can check their logs and see what went wrong? You should never receive answers like either of the above.

    <SNIP>
    Don
    Don,

    Thanks for the quick response, for more feedback, and the answer/email you were looking for please email me offlist (XO@XO-studios.com).

    To the rest of you, I did get a quick response, and no I did not literary get told toobad/too sad, rather I got an answer that stated, it was just the way things were.

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • dvdmondvdmon Registered Users Posts: 28 Big grins
    edited April 7, 2005
    onethumb wrote:
    You're right! This is a bug and we'll get working on a fix. You'll notice that it doesn't happen for smugmug domains, just external domains, and it was an oversight. Sorry about that!
    Don, I'm experiencing the same behavior on my smugmug subdomain. Specifically, I go to one of my private albums, click on one of the images so that it comes up in a web browser with the url being the jpg file itself. Then I log out and try to refresh that page and it still comes up. I then try incrementing the digits in the file name and come up with additional images, ones that I know could not in my browser's cache, but which I know are also in private albums... I tried playing around with some settings and disabled external links but that didn't seem to do anything...

    Thanks,

    Levi
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited April 7, 2005
    Not sure this is a bug
    Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.

    --John
    dvdmon wrote:
    Don, I'm experiencing the same behavior on my smugmug subdomain. Specifically, I go to one of my private albums, click on one of the images so that it comes up in a web browser with the url being the jpg file itself. Then I log out and try to refresh that page and it still comes up. I then try incrementing the digits in the file name and come up with additional images, ones that I know could not in my browser's cache, but which I know are also in private albums... I tried playing around with some settings and disabled external links but that didn't seem to do anything...

    Thanks,

    Levi
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • winnjewettwinnjewett Registered Users Posts: 329 Major grins
    edited April 7, 2005
    Additionally, if you want a gallery to appear on the home page, you can first feature the gallery, and then make it private. In this way, the category it resids in (if it's alone) will no show up, but people can get directly to it.

    I also do not believe that the above scenario is a bug.

    -w
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 7, 2005
    jfriend wrote:
    Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.

    --John

    Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
    You share a picture as a teaser.
    http://xxx.yyyyy.zzz/photos/123456-m.jpg

    Someone is smart enough to figure out that
    http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
    is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
    Or as the earlier bug said it leads to a picture of someone elses gallerie.

    I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

    FWIW,

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • SystemSystem Registered Users Posts: 8,186 moderator
    edited April 7, 2005
    XO-Studios wrote:
    Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
    You share a picture as a teaser.
    http://xxx.yyyyy.zzz/photos/123456-m.jpg

    Someone is smart enough to figure out that
    http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
    is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
    Or as the earlier bug said it leads to a picture of someone elses gallerie.

    I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

    FWIW,

    XO,
    XO, you seem correct on your opinion of the bug you detailed. I DO NOT want any of part of this sort of easy to figure out money loosing bug. It certainly could lead to someone loosing a bunch of images not on his own accord, and that is not cool for sure.

    -don
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited April 7, 2005
    Serious bug with password protected galleries
    I, myself, don't expect marking a gallery private to protect it in the way you do. But, I do expect password protection on the gallery to protect ANY access to the gallery or ANY photos in the gallery without first entering the password.

    I just ran a test and a password protected gallery is ONLY protected at the top level gallery level. If you have an URL to a photo or you guess an URL to a photo, you get to see it without providing the password. That seems like a serious security bug. You should be required to enter a password before viewing ANY photos in a password protected gallery. BTW, I don't have a custom domain so this problem exists even without that.

    So XO-Studios, I test this because I thought a password protected gallery should provide the protection you seem to be interested in, but alas, that doens't currently work.

    --John
    XO-Studios wrote:
    Consider the following scenrio, as I tried and used it exactly as such. You were at an event, doing what it is you do for a living.
    You share a picture as a teaser.
    http://xxx.yyyyy.zzz/photos/123456-m.jpg

    Someone is smart enough to figure out that
    http://xxx.yyyyy.zzz/photos/123457-m.jpg (pic number +1)
    is a pic of that same event, a picture you never meant to share, and poof there goes potential revenue.
    Or as the earlier bug said it leads to a picture of someone elses gallerie.

    I am not sure about any of you, but I have some pictures in my galleries that are definitely not for general viewing.

    FWIW,

    XO,
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited April 7, 2005
    jfriend wrote:
    I just ran a test and a password protected gallery is ONLY protected at the top level gallery level. If you have an URL to a photo or you guess an URL to a photo, you get to see it without providing the password.
    You're right, password protection works only on album level, so you have to turn off external linking and then nobody should be able to access them without a password.

    Sebastian
    Sebastian
    SmugMug Support Hero
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 7, 2005
    You're right, password protection works only on album level, so you have to turn off external linking and then nobody should be able to access them without a password.

    Sebastian

    Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 7, 2005
    jfriend wrote:
    <SNIP>
    So XO-Studios, I test this because I thought a password protected gallery should provide the protection you seem to be interested in, but alas, that doens't currently work.

    --John
    Which was exactly what I emailed in my original email to smugmug tech support.

    1) picture url's are not protected
    2) other peoples pics will show under my domain
    3) passwords do not protect individual files.

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited April 7, 2005
    Confirmed
    I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

    --John
    XO-Studios wrote:
    Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

    XO,
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • dvdmondvdmon Registered Users Posts: 28 Big grins
    edited April 7, 2005
    Hmm. I'll be interested to see what the smugmug folks say about this behavior because I think it may be working as desired. I have marked a gallery private when I don't want the gallery to to be browseable or findable or searchable by the general public, but I want to share the URLs of specific images or even of the whole gallery with other people. So, I am using this as a feature and don't consider it a bug.
    The way I would do this is to just create one gallery for public consumption and one for private. XOXO's concerns are not exactly mine. My concern is that some clients do not want their pictures accessible by anyone who has some spare time and likes playing with url's. Also, because some private folders are set to allow full-size access, that means theoretically someone could come steal your full-size image files... I just tried this by getting the "original" image file url from my private non-external link-enabled gallery, logging out, incrementing the digits and got additional original files from that gallery. I Incremented to higher degree and got original images from other peoples' galleries.

    So as far as I'm concerned, having stuff show up under my url doesn't mean anything because the people who are accessing these are already fooling around and so should know that they might get something unexpected. What I'm MUCH more concerned about is the privacy of my clients (and my OWN, friends', and family's privacy), as well as the possibility that original images could be stolen...
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited April 7, 2005
    XO-Studios wrote:
    Do the test, you will find that once you know the URL to a picture changing external linking will not make a difference. Only outside linking will be disabled i.e. the use of the image as called for by an outside domain.

    XO,
    Sorry for not testing it before writing. I can confirm the bug with direct URL access. Even cleared my browsers cache.
    Maybe there is a delay before the settings work completely?

    Sebastian
    Sebastian
    SmugMug Support Hero
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited April 7, 2005
    jfriend wrote:
    I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

    --John

    This is by design and not a bug. Sorry!

    Don
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited April 7, 2005
    Sorry for not testing it before writing. I can confirm the bug with direct URL access. Even cleared my browsers cache.
    Maybe there is a delay before the settings work completely?

    Sebastian

    External linking, by definition, only works if you're coming to see the photo from an external link.

    If you're coming from a smugmug link, it will work fine.

    This, too, is by design - otherwise you wouldn't be able to see *any* of those photos at all, all access would be shut off.

    Don
  • SystemSystem Registered Users Posts: 8,186 moderator
    edited April 7, 2005
    ______________
    Quote:
    Originally Posted by jfriend
    I just confirmed this. Turning off external linking on a password protected gallery does not prevent viewing images in the gallery if you know or guess the URL.

    --John
    onethumb's reply:

    "This is by design and not a bug. Sorry!"

    Don
    _________________________________

    Any chance of beefing up the security on password protected galleries, Don? Other sites around do protect you from direct links or guessed url's when you enable password protection. The password protection system here at smugmug works sorta like pbase's hidden galleries. Not protected, just sorta hidden. Pbase is one site that does stop dlinking and guessing urls with it's password protection scheme. Maybe you guys can to get this level of protection here at smugmug in the not-to-distant future?

    -don
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited April 7, 2005
    How is one supposed to protect images on smugmug?
    How on smugmug are you supposed to protect/limit the viewing of an image URL to a specific audience so that there is no way for the general public to get to your image without knowing a password?

    If I understand my own testing and your intent, password protection only requires the password if the user comes in the front door by browsing to the home page of the gallery. But, it doesn't protect against any form of individual access to the same images. Is there a reason that you'd want it to work that way? Or just some practical limitations that have led to it not being protected from this kind of access?

    I'm asking to try to understand if I don't understand how you intend for a customer to solve this privacy issue (e.g. there's another way to do it)? Or, if you don't understand what we're asking for and why it seems important to us?
    onethumb wrote:
    This is by design and not a bug. Sorry!

    Don
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited April 7, 2005
    minoltaman wrote:
    Any chance of beefing up the security on password protected galleries, Don? Other sites around do protect you from direct links or guessed url's when you enable password protection. The password protection system here at smugmug works sorta like pbase's hidden galleries. Not protected, just sorta hidden. Pbase is one site that does stop dlinking and guessing urls with it's password protection scheme. Maybe you guys can to get this level of protection here at smugmug in the not-to-distant future?

    Smugmug has more than 19,000,000 photos online. "Guessed URLs" are pretty dang tough.

    When we built the passworded feature, it intially protected images entirely from passworded links, and our customers blew up at us. They were furious when they'd accidentally link a photo to a forum post, blog entry, or the like and it wouldn't work. Our customer support costs shot through the roof and we were innundated with complaints.

    We quickly switched it to allow linking to the images and everyone was happy. At least, until now. :)

    I have a *really* hard time understanding how guessing your photos among 19,000,000 other photos constitutes a security risk. The only way they can even get one image URL from a given gallery is if you choose to feature a photo - not something I recommend if you're security conscious, and need I remind you, something that wouldn't be allowed at all if the password scheme applied to images as well as just galleries.

    We'll continue to think about it and revisit it from time-to-time, as we do with all smugmug product decisions, but I really doubt it'll get changed.

    Thanks for the feedback, though. Without it, smugmug wouldn't be the great place it is.

    Don
  • onethumbonethumb Administrators Posts: 1,269 Major grins
    edited April 7, 2005
    jfriend wrote:
    How on smugmug are you supposed to protect/limit the viewing of an image URL to a specific audience so that there is no way for the general public to get to your image without knowing a password?

    If I understand my own testing and your intent, password protection only requires the password if the user comes in the front door by browsing to the home page of the gallery. But, it doesn't protect against any form of individual access to the same images. Is there a reason that you'd want it to work that way? Or just some practical limitations that have led to it not being protected from this kind of access?

    I'm asking to try to understand if I don't understand how you intend for a customer to solve this privacy issue (e.g. there's another way to do it)? Or, if you don't understand what we're asking for and why it seems important to us?

    If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

    But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

    Don
  • jfriendjfriend Registered Users Posts: 8,097 Major grins
    edited April 8, 2005
    You get to decide how important you think this is for smugmug's business and credibility. It seems to me like a problem you should think some more about.

    I do understand the balance between security and convenience. I deal with that balance all the time in the software and architecture design work I do in my job. At the same time, security features come with certain expectations and it's generally a pretty bad thing for a company when their actual security doesn't match the common expectations, no matter what convenience you are trying to offer. In fact, in our business, we're better off under-promising the security than over-promising it. If the customer actually wants the convenience they are enjoying rather than the real security, then the feature needs to be presented in a different way that doesn't imply security that isn't really being delivered. On the other hand, if the customer wants the security that's being implied, then that security should be delivered, not "sort-of" delivered.

    I myself use some of the security conveniences you've built in. For example, I use "private" galleries, but put URLs to specific photos into public postings. I didn't really know how a private gallery should work (I had no preset expectations), but I tried it and it solved my problem. I want to be able to post specific images, but not allow people to browse the whole gallery from my home page. That's useful to me. But, a password protected gallery is a different beast. For "most" people, that will set an expectation that one cannot view the content without supplying the password no matter how you try to access it.

    I agree that it's nearly impossible for someone to find a specific photo of mine by guessing an URL. That is like trying to find a needle in a haystack.

    But, on the other hand, it's really, really easy to find lots of other people's photos by just changing numbers in the URL. Here's a progression I followed:

    I started with a public URL of mine:
    http://jfriend.smugmug.com/photos/15410531-M-1.jpg

    I then changed a few digits in the number and got someone else's image here:
    http://jamescho.smugmug.com/photos/15410743-M-1.jpg

    I twiddled a few more numbers here and got this image:
    http://butler.smugmug.com/photos/15410756-M-1.jpg

    I twiddled a few more numbers and got this image:
    http://freiburg1971.smugmug.com/photos/15410656-M-1.jpg

    Further, this does not appear to be a sparse numeric space that makes it difficult to guess numbers that land on photos. In fact, every single number I tried around where I started landed on a photo.

    I have absolutely no idea whether these images are supposed to be public or not. Unless you have hardly any password protected galleries on smugmug, it should be fairly easy for me to find some content that is meant to be password protected. And, once you find one thing you like you can probably find the rest of the images in the gallery (assuming they were uploaded at the same time) because it looks like the numbers will be in close proximity to the first one you find.

    I did find out that if originals are turned off in a gallery that they cannot be accessed with a guessed URL so that seems to work.

    My summary is that I'd suggest you think about this some more. I think you are implying a security feature that isn't being delivered (which is usually a bad thing). I would suggest that you either change the user expectation for the password feature by presenting/describing it differently or make it really work. You could even solve the backward compatibility problem by letting the user decide with a preference whether a password protected gallery should allow un-authenticated direct linking or not.

    I hope I don't sound like I'm trying to be difficult here. I am generally pleased with smugmug and have referred many folks here (39 referral credits so far).

    --John
    onethumb wrote:
    If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

    But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

    Don
    --John
    HomepagePopular
    JFriend's javascript customizationsSecrets for getting fast answers on Dgrin
    Always include a link to your site when posting a question
  • rainforest1155rainforest1155 Registered Users Posts: 4,566 Major grins
    edited April 8, 2005
    onethumb wrote:
    External linking, by definition, only works if you're coming to see the photo from an external link.

    If you're coming from a smugmug link, it will work fine.

    This, too, is by design - otherwise you wouldn't be able to see *any* of those photos at all, all access would be shut off.
    Don, thanks for the answear. This all is perfectly right if external linking is turned on.
    When external linking is off and access a picture URL directly with my browser I shouldn't be allowed to see it, because the referrer-field should be empty then and that should be a sign for SM not to show the picture. Same thing when the picture is linked in a forum, then SM will get the referrer of the forum and therefore not allow to view the picture.
    This should not interefere with gallery browsing, because then my browser would have the SM-domain as referrer.

    I thought this is the way it works and for my understanding the differenciation between the cases should be not that hard. What am I missing?

    Sebastian
    Sebastian
    SmugMug Support Hero
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 8, 2005
    onethumb wrote:
    If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

    But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

    Don
    OK here we go, as this is extremely easy.

    www.xo-studios.com/photos/19184525-M.jpg

    Hi there Aunt Margie, I was in a theatre production, here is a backstage picture.

    Aunt Margie or one of the cousins gets bored (picture number -1)

    www.xo-studios.com/photos/19184524-M.jpg

    I am not sure about your Aunt Margie, but mine definitely wasn't supposed to see that last picture. Quite often my pictures uploaded as a batch have sequantial numbers.

    Both pictures are in a password protected galllery that is private. Originals and larges switched off.

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • XO-StudiosXO-Studios Registered Users Posts: 457 Major grins
    edited April 8, 2005
    onethumb wrote:
    If you can demonstrate how someone can accurately guess a specific photo of yours from within 19,000,000+ photos at smugmug, in a passworded gallerie with no featured photo, I'd be happy to revisit the security concerns.

    But given all the security options (Private, Password, External Links, Larges, Originals, Image Protection), I feel like we are perfectly balanced between being very secure and very easy. It's a tough line to walk, and I think we're doing great.

    Don
    For X=1-999999 do
    image_url="http://www.smugmug.com/photos/"+X+"-M.jpg&quot;
    if exist(image_url) save(image_url)
    X=X+1

    I believe you get where I am getting at.

    XO,
    You can't depend on your eyes when your imagination is out of focus.
    Mark Twain


    Some times I get lucky and when that happens I show the results here: http://www.xo-studios.com
  • dvdmondvdmon Registered Users Posts: 28 Big grins
    edited April 8, 2005
    XO-Studios wrote:
    OK here we go, as this is extremely easy.

    www.xo-studios.com/photos/19184525-M.jpg

    Hi there Aunt Margie, I was in a theatre production, here is a backstage picture.

    Aunt Margie or one of the cousins gets bored (picture number -1)

    www.xo-studios.com/photos/19184524-M.jpg
    XO, those url's are not producing images when I go to them??
  • dvdmondvdmon Registered Users Posts: 28 Big grins
    edited April 8, 2005
    XO-Studios wrote:
    For X=1-999999 do
    image_url="http://www.smugmug.com/photos/"+X+"-M.jpg"
    if exist(image_url) save(image_url)
    X=X+1

    I believe you get where I am getting at.

    XO,
    I was about to post something similar. Guessing urls may or may not be an easy thing to do, but I can very quickly type up an ASP app that creates pages of thumbnail images by just incrementing through the digits in the image files and linking those thumbnails to the larger version of the image. This way I can easily browse through thousands of images and pick ones I may be interested in. No, I may not be able to pinpoint specific users' pictures, but I can certainly pick and choose images that I might want to take a closer look at very easily.

    I'm not sure why users were initially irate that they couldn't link to images in PRIVATE galleries, but considering the unlimited storage space, it seems silly why they couldn't just include the photos they want to publicly link to in another gallery that is public. But whatever the case is, I think there needs to be some way of locking images down so that they can't be retreived by "guessing" (or more likely "browsing"). How this is done doesn't concern me as much as that it is done and that instructions to do so are created and given to us...
  • SystemSystem Registered Users Posts: 8,186 moderator
    edited April 8, 2005
    dvdmon wrote:
    I was about to post something similar. Guessing urls may or may not be an easy thing to do, but I can very quickly type up an ASP app that creates pages of thumbnail images by just incrementing through the digits in the image files and linking those thumbnails to the larger version of the image. This way I can easily browse through thousands of images and pick ones I may be interested in. No, I may not be able to pinpoint specific users' pictures, but I can certainly pick and choose images that I might want to take a closer look at very easily.

    I'm not sure why users were initially irate that they couldn't link to images in PRIVATE galleries, but considering the unlimited storage space, it seems silly why they couldn't just include the photos they want to publicly link to in another gallery that is public. But whatever the case is, I think there needs to be some way of locking images down so that they can't be retreived by "guessing" (or more likely "browsing"). How this is done doesn't concern me as much as that it is done and that instructions to do so are created and given to us...
    This type of scenario is my biggest concercn. It's just like educated url guessing, right Don? My biggest piracy worries are with the "professional" pirates strip mining a whole library of photos. I have not knowingly run into this animal yet, but I would not want to run in to him or her in the future either. I also would like think your customers should be able to accept that they simply can not direct link to password protected photos, that is just common sense. If someone can't take a simple "you can't dlink to photos in password protected galleries" note from customer support, I would not have a clue as to why not.ne_nau.gif Everyone should be thankful for not being able to dlink to password protected images. I really do think reconsidering the stronger password protection issue here at smugmug is worth your time and troubles. I realize this is a tough and delicate area, but password protection seems to be a pretty strong term for images that are not really password protected.

    -don
This discussion has been closed.