Comments on: On so-called ‘holes’ in our new privacy scheme

By: .: GAFNO.com - Hot World News Blog :. » Blog Archive » SmugMug and Amazon S3

Wed, 05 Mar 2008 21:39:31 +0000

[...] When online photo site SmugMug initially contacted me, it was in the context of some of the pieces that I had written about competitor Flickr and about some of the issues associated with protecting photographers’ works online. In a nutshell, relative to Flickr, SmugMug has opted for less of a open community orientation and more for ways to store and display photos with a rather granular set of access controls. (See some discussion by CEO and “Chief Geek” Don MacAskill here.) [...]

By: Illuminata Perspectives » Blog Archive » SmugMug and S3

Illuminata Perspectives » Blog Archive » SmugMug and S3 — Wed, 05 Mar 2008 16:38:55 +0000

By: Felicia

Felicia — Sun, 02 Mar 2008 22:09:51 +0000

Smugmug has set the standard in customer service and valuing the customer. I fired an internet service because they just didn’t measure up to Smugmug’s standards. Your ethics and fabulous treatment of your customers make me want to be a lifetime Smugmug customer!

By: Nick

Nick — Fri, 22 Feb 2008 05:18:27 +0000

Don, I am a IT Security professional, and I work in a SaaS environment as well. I have some comments here.
I did not join the witch hunt you wanted everyone to do because of ethical bounds and potential legal ramifications. That is besides the point.

As for the security firm, I couldn’t agree more. You have to worry about those types of firms “leaking” your name and results. Working for a company that also has independent audits performed, I would like to give some words of wisdom.

Have very strict NDA’s in place.
Have your attorneys review everything to make sure they can not leak your report.
Ask them questions about how they keep their networks secure (remember your dirty laundry is now on their systems). You would be suprised…
If they can’t manage their own network, don’t think they know how to tell you to manage yours.
Get a nice exec summary that you can release to potential clients who ask for it. Think twice before publishing the executive summary online.
Confine the space they can work within. No trojans, back doors, DOS, etc.
Give them time frames when your site is not busy in case they do cause harm or impact your site.
Get references and check them.
Change your vendor every two audit cycles. This keeps it independent and nobody gets time to “relax”.

Full disclosure: I do not work for any consulting firm, nor do I have ANY financial incentive with any consulting firms.

If you want to know more about my “pains”, contact me offline and I would be happy to talk with you.

By: Doug

Doug — Wed, 20 Feb 2008 19:30:19 +0000

Re: John’s “Does this mean smugmug is less secure than Flickr” comment:

It may or may not be, but I think a lot of the reason you see it more is that Don “Fuels the fire” by responding, and actively participating in the “security hunt”. I personally view this as smugmug being MORE secure. Any company whom is willing to talk about their security measures in the open, and whom does not rely soley on security by obscurity scores security points in my book.

I just took a look at the blog section on flickr and there are no technical posts, only marketing blog posts. a quick search for ‘flickr security’ on google results in a few security risks on flickr. I can’t claim to follow flickr as closely as I follow smugmug, but my impression is that they probably have a similar number of potential flaws, but handle them differently.

Keep up the good work folks.

On a side note… If you think that anything you put on the internet is secure, think again. Somewhere, some admin has access to everything you put on the internet.. Yes, that means your bank account number, your social security number, everything. I have seen first hand the atrocious way that a number of reputable companies store your data, and its a joke. Have you ever been in the kitchen of your favorite “home style” mexican restaurant down the street?

Gordon Ramsey could do a show called “Hell’s Information Security policies”, and you’d be amazed. 95% of security measures in place on the internet are merely to keep honest people honest, and do not provide significant protection from a bad guy with enough motiviation. Don’t fool yourselves

By: John

John — Wed, 20 Feb 2008 06:10:53 +0000

It seems Smugmug is always under some sort of R&D hack and whereas Flickr doesn’t seem to be in this at all - putting aside the issue of Beskerming wanting your biz. Does it mean Flickr’s security is more superior than Smugmug?

Will this make potential customers gradually shy away from Smugmug?

By: Colleen

Colleen — Wed, 20 Feb 2008 02:11:57 +0000

I just wanted to say that I too am happy with the way you as a whole have handled this entire situation. I always understood what private meant but I do appreciate that there are people who didn’t and I think the new unlisted is great. I am also VERY happy that you grandfathered older images in so not to break links. People who want new features can make the appropriate adjustments.
I second what the first poster said in why I LOVE smugmug and try to tell everyone I meet how great it is and worth every penny. Thank you for all you do.

By: Matt Johnson

Matt Johnson — Tue, 19 Feb 2008 22:36:07 +0000

The announcements of the bugs that allowed some images to be visible that were previously thought as privately protected gave me a reason to check a few things. I used my existing account to check a few of the issues that people raised and reported them to SmugMug. After they announced they had the holes plugged, I went back and checked 5 different bugs I had identified myself, and every single one had been plugged correctly. SmugMug’s response, I felt was in accordance to the issues as if they were critical to customers.

I have been very pleased with SmugMug’s response to these issues. I feel that these privacy issues were important but not critical as Doug points out. If I were selling photos online, and this was business for me, then it would probably rate more on the critical level. I have had a pro account since 2005 and I don’t see any reason why I would even CONSIDER discontinuing my account for several years (4+) to come.

By: Justin

Justin — Tue, 19 Feb 2008 21:57:52 +0000

Don, the way you guys have handled all this is EXACTLY the reason I will strongly consider *paying* for your service where I could get something at least somewhat comparable for free. Great work to everyone who’s helped to address these security issues, even if most of them are benign anyway. Look to see me sending money your way sometime in the future.

By: Doug

Doug — Tue, 19 Feb 2008 20:50:37 +0000

Hi Don –

I’m sure there are lemmings out there who leap at the opportunity to pile upon the latest “internet wrath” bandwagon, but I just wanted to assure you that not EVERYONE is as easily swayed by these attention seekers.

I have been a loyal smugmug user for a number of years now. While I appreciate the effort towards security. Please remember, these are photo’s, not my bank account. Personally, I use smugmug for the following reasons, please don’t lose sight of this:

1) Unlimited photo’s. No questions asked. Unlimited size. unlimited photo’s.. no nickel and diming

2) fair price for above referenced benefit

3) Able to easily hot link from other sites (forums, my homepage, etc).

I’m an IT consultant, with banking industry clients… But come monday when I log on to smugmug, I just want to show my friends what I did over the weekend