Comments on: First two security winners

By: mod converter

mod converter — Fri, 06 Nov 2009 15:56:58 +0000

Love it! You got me so excited to get one and start shooting video!

By: Jeff Nappi

Jeff Nappi — Mon, 02 Nov 2009 21:15:42 +0000

Amazon would shut down such an attacker within hours!

By: Philipp Lenssen

Philipp Lenssen — Fri, 08 Feb 2008 18:02:30 +0000

PS: On second thought, that bike thing may well have be an urban legend, I don’t know… I’m no lawyer, and I just know I always lock my bike

By: Philipp Lenssen

Philipp Lenssen — Fri, 08 Feb 2008 18:00:26 +0000

> If you have content published on the web, then
> someone may obtain it and use it badly. That’s
> why we have laws: you can do a lot of things,
> but some of them are illegal or even a crime…

Actually, here in Germany — not sure about the US — if you don’t lock your bike and someone takes it then there is no law against that taking… it’s not considered stealing, because no one needed to break a lock. Thankfully, that’s why people invented locks and normally use them (including locks on websites).

By: Jorge Oliveira

Jorge Oliveira — Fri, 01 Feb 2008 10:44:13 +0000

to Ophir Kra-Oz:

Your scenario just describes how internet works… And if you consider that an attack, then Google is attacking alot of sites

If you have content published on the web, then someone may obtain it and use it badly. That’s why we have laws: you can do a lot of things, but some of them are illegal or even a crime…

By: Privacy, Security and Elastic Computing « Evil Fish

Privacy, Security and Elastic Computing « Evil Fish — Fri, 01 Feb 2008 06:24:02 +0000

[...] Security and Elastic Computing There is an interesting contest going on in SmugMug image sharing site, you can get 600$ if you can find a security hole in their [...]

By: Ophir Kra-Oz

Ophir Kra-Oz — Fri, 01 Feb 2008 05:53:58 +0000

The assumptions made about privacy and security are quite flawed.
I love SmugMug and Don’s blog a lot but it seems he is missing the point.

I’ll demonstrate by assuming there is one evil person in the world who hates SmugMug for being so cool and successful.

This person decides to spend his hard earned money to create a publicity nightmare.
Lets assume there are 1 Million real picture out of the 250 Million possible URL’s ( Number does not really matter).

He spends 500$ to get 100 servers from Amazon EC2 and use them for 2 days. Each server can send 50,000 HTTP requests per hour.
After 2 days the evil person knows exactly the links to the one million “private” pictures ( 50*50,000*100 = 250,000,000 ).

He needs to pay 10$ for bandwidth for the pictures ( 1M * 0.1MB * 0.0001$/MB).
The non existing links would cost 25$ ( 250,000,000 *0.0001$/MB *0.001
MB).
Total cost is 535$ to get all the pictures.
BTW, since SmugMug is using S3 bandwidth cost would probably be 0$ since bandwidth between S3 and EC2 is free

In order to find the interesting ones he uses Amazon Mechanical Turk. He pays 0.01$ for 5 images classification ( a HIT ) so the total cost would be 2000$ (1M * 0.01$/ 5).

Now the evil hacker can post top 1000 photos in Flicker and get his evil wish fulfilled ( 2535$ cost )

To make matters worse, a cheap evil person can accomplish the same task with a zero cost, using JavaScript & open web sites.

So, I suggest SmugMug keep doing the great work they are doing, but also invest the time an effort to fix this issue.

The fact no one has complained so far, is just because the attack didn’t take place so far. Security through obscurity does not work in the long run.

It is a shame that one evil person can cause so much work and harm to so many good people, but that’s life.

By: Matt Johnson

Matt Johnson — Wed, 30 Jan 2008 18:47:13 +0000

A “medium” resolution image was viewable… and it was restricted to medium because the album settings had the largest size set to “medium” though I think the default for largest size on new albums is “original” and if the album was set to that, then the original resolution image would have been accessible.

If the largest size was set to “original” I also believe this would have bypassed the watermarking since the original is not watermarked. If someone else would like to confirm the watermarking issue, that would be nice.

By: Loren

Loren — Wed, 30 Jan 2008 00:39:23 +0000

This is probably a bit off topic, but still relevant to the security vs privacy portion of this discussion:

http://www.schneier.com/blog/archives/2008/01/security_vs_pri.html

Cheers,

By: Darryl

Darryl — Tue, 29 Jan 2008 22:38:35 +0000

Yeah, I’m curious about the bug-fixes. Oh wait, I think I noticed the CNAME fix yesterday when I tried my Fusker script. That’s probably how they figured out the account name, right? I wonder how they found the gallery though if it was private. That’s a junkload of guessing, unless I suppose, you can find an adjacent photo’s public gallery ID and then make some more educated guesses.

Was the image ever actually viewable without hacks?