First two security winners
Our friends over at Blogoscoped, Philipp Lenssen and Tony Ruscoe, figured out the gallery # and account name for our security contest. They haven’t (yet?) managed to get the actual image. They’ve declined the $1000 bounty, but I’ve offered to donate the same amount, in their name, to the charity of their choice. Still waiting to hear back.
Tim Gosselin, on the other hand, managed to find a way to get a smaller version of the 3Mpix image. Kudos to Tim - clever hack.
Both bugs have already been fixed, I believe, and no-one has managed to get the original image thus far.
I’ve had to lower the bounty amount to $599.99 to avoid tax complications, but both Blogoscoped and Tim will be getting the full amount (or donating it or whatever they choose to do).
The contest is still on, so if you’d like to help us tighten our security, give it a shot. 
Tags: blogoscoped, contest, philipp lessen, security, smugmug, tony ruscoe
January 28th, 2008 at 7:13 pm
Way to go Don !! Your an honorable man - keep up the good works !!
listen to learn , learn to listen..
keep chugging we’ll keep clapping :)-
January 28th, 2008 at 9:36 pm
As a newish member of smugmug, I’m a little troubled by this whole story. It’s like coming home to find that your house wasn’t broke into but the screen door has been ripped off and you get a feeling your not as secure as you thought.
January 29th, 2008 at 12:45 am
What are the tax complications? I’m curious…
January 29th, 2008 at 7:21 am
If you pay someone over $600 you have to send them an IRS form 1099 at the end of the year. For that you need their name, address, and SSN.
January 29th, 2008 at 8:16 am
Since the bugs were fixed, do we get a full disclosure on the methods they used?
Cor
January 29th, 2008 at 3:38 pm
Yeah, I’m curious about the bug-fixes. Oh wait, I think I noticed the CNAME fix yesterday when I tried my Fusker script. That’s probably how they figured out the account name, right? I wonder how they found the gallery though if it was private. That’s a junkload of guessing, unless I suppose, you can find an adjacent photo’s public gallery ID and then make some more educated guesses.
Was the image ever actually viewable without hacks?
January 29th, 2008 at 5:39 pm
This is probably a bit off topic, but still relevant to the security vs privacy portion of this discussion:
http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html
Cheers,
January 30th, 2008 at 11:47 am
A “medium” resolution image was viewable… and it was restricted to medium because the album settings had the largest size set to “medium” though I think the default for largest size on new albums is “original” and if the album was set to that, then the original resolution image would have been accessible.
If the largest size was set to “original” I also believe this would have bypassed the watermarking since the original is not watermarked. If someone else would like to confirm the watermarking issue, that would be nice.
January 31st, 2008 at 10:53 pm
The assumptions made about privacy and security are quite flawed.
I love SmugMug and Don’s blog a lot but it seems he is missing the point.
I’ll demonstrate by assuming there is one evil person in the world who hates SmugMug for being so cool and successful.
This person decides to spend his hard earned money to create a publicity nightmare.
Lets assume there are 1 Million real picture out of the 250 Million possible URL’s ( Number does not really matter).
He spends 500$ to get 100 servers from Amazon EC2 and use them for 2 days. Each server can send 50,000 HTTP requests per hour.
After 2 days the evil person knows exactly the links to the one million “private” pictures ( 50*50,000*100 = 250,000,000 ).
He needs to pay 10$ for bandwidth for the pictures ( 1M * 0.1MB * 0.0001$/MB).
The non existing links would cost 25$ ( 250,000,000 *0.0001$/MB *0.001
MB).
Total cost is 535$ to get all the pictures.
BTW, since SmugMug is using S3 bandwidth cost would probably be 0$ since bandwidth between S3 and EC2 is free
In order to find the interesting ones he uses Amazon Mechanical Turk. He pays 0.01$ for 5 images classification ( a HIT ) so the total cost would be 2000$ (1M * 0.01$/ 5).
Now the evil hacker can post top 1000 photos in Flicker and get his evil wish fulfilled ( 2535$ cost )
To make matters worse, a cheap evil person can accomplish the same task with a zero cost, using JavaScript & open web sites.
So, I suggest SmugMug keep doing the great work they are doing, but also invest the time an effort to fix this issue.
The fact no one has complained so far, is just because the attack didn’t take place so far. Security through obscurity does not work in the long run.
It is a shame that one evil person can cause so much work and harm to so many good people, but that’s life.
January 31st, 2008 at 11:24 pm
[...] Security and Elastic Computing There is an interesting contest going on in SmugMug image sharing site, you can get 600$ if you can find a security hole in their [...]
February 1st, 2008 at 3:44 am
to Ophir Kra-Oz:
Your scenario just describes how internet works… And if you consider that an attack, then Google is attacking alot of sites
If you have content published on the web, then someone may obtain it and use it badly. That’s why we have laws: you can do a lot of things, but some of them are illegal or even a crime…
February 8th, 2008 at 11:00 am
> If you have content published on the web, then
> someone may obtain it and use it badly. That’s
> why we have laws: you can do a lot of things,
> but some of them are illegal or even a crime…
Actually, here in Germany — not sure about the US — if you don’t lock your bike and someone takes it then there is no law against that taking… it’s not considered stealing, because no one needed to break a lock. Thankfully, that’s why people invented locks and normally use them (including locks on websites).
February 8th, 2008 at 11:02 am
PS: On second thought, that bike thing may well have be an urban legend, I don’t know… I’m no lawyer, and I just know I always lock my bike