Our friends over at Blogoscoped, Philipp Lenssen and Tony Ruscoe, figured out the gallery # and account name for our security contest. They haven’t (yet?) managed to get the actual image. They’ve declined the $1000 bounty, but I’ve offered to donate the same amount, in their name, to the charity of their choice. Still waiting to hear back.

Tim Gosselin, on the other hand, managed to find a way to get a smaller version of the 3Mpix image. Kudos to Tim - clever hack.

Both bugs have already been fixed, I believe, and no-one has managed to get the original image thus far.

I’ve had to lower the bounty amount to $599.99 to avoid tax complications, but both Blogoscoped and Tim will be getting the full amount (or donating it or whatever they choose to do).

The contest is still on, so if you’d like to help us tighten our security, give it a shot.

Wow, first time I’ve slept in since our baby was born (Oct 30th, 2007), and this is what I wake up to. Guess I need to stop slacking.

First, a chance to strike it rich: I’ll give $1,000 $599.99 USD (stupid taxes) to anyone who can get a copy of this photo, or tell me which gallery or account it belongs to. To get paid, you must privately email your findings to SmugMug, including details of how you obtained it such that we can reproduce your success. And of course, I’m not using any tricks not available to our customers. Only the first person to expose a given exploit gets the bounty. Multiple reasonably different exploits? Multiple bounties.

Next, a couple of quick bullet points before we get into the meat of the situation, and then I’ll post the full emails to Philipp after the jump so you can read the un-edited versions for yourself:

• Your private photos are still private. Your secure photos are still secure. Note that there is a difference - this is an important distinction.
• If you have security settings applied to your site, galleries, or photos, no-one can see them. They’re impregnable. The sky is not falling, your photos are safe.
• Philipp Lenssen did us the courtesy of investigating the situation, contacting us, and following up - like any true journalist. I appreciate that. I wish, however, that the rest of the blogosphere, especially those that have taken Philipp’s facts and extrapolated them into some other fantasy world, had done the same. Shame on them. I know it’s always fun to join a witch hunt, but still…
• When people tell us stuff, like Philipp has done this morning, we listen. It may take us awhile to internalize it and act upon it, but I assure you, we’re listening.
• While Philipp and I don’t see eye-to-eye on this issue, he did indirectly bring a privacy hole to my attention, which has now been fixed. More on that later.
• “Locking down” your photos (privacy *and* security) is too complicated with our current UI. We need to do something about that. Count on us to do so.
• Interestingly, Philipp seems to have stolen an image from iStockPhoto and uploaded it to SmugMug as his example image. Kinda ironic, no?

Our customers have long known that we take privacy and security very seriously, and we offer a veritable army of options and settings to protect your photos. Since everyone views security and privacy a little differently than everyone else, we discovered early on that a “one size fits all” setting just doesn’t make sense. Instead, we settled on a lots of knobs and dials so that you, the owner of the photos, can determine exactly who can see your photos and in what context. You can literally lock down your entire SmugMug site, a gallery, or a photo - and anything in between. You can mix and match, and “dial in”, whatever privacy and security settings you’d like, wherever you’d like.

Every setting we have is a direct result of a customer (or lots of customers) asking us for them, and especially people like Philipp who shine a bright light on any deficiencies we may have. I believe we have the very best security and privacy options in our industry - but that doesn’t mean we can’t do better.

Now, on to privacy. The feature is working as intended, and indeed, is working exactly like thousands and thousands of our customers have asked us to make it work. You can read in the blogoscoped comments thread where our customers are insisting to Philipp that the feature is designed exactly the way they’d like, and we agree.

To us, privacy and security are two separate, but related, issues. One analogy we use often is that security is like locking your front door and arming your alarm (no-one can get in without a key), and privacy is like closing your window blinds (no-one can look in from the outside, but you can tell people where you live and they can visit without a key). Another analogy our customers use is that of phone numbers. My number isn’t listed, but that doesn’t mean someone can’t call me if they can guess it, or brute-force my area code, or otherwise get the number from some other source.

When you set your SmugMug gallery to ‘private’, this is exactly what you’re doing - making the gallery and photos difficult, but not impossible, to find. It’s intentionally easy to share with your friends and family via email, IM, in a blog or forum post, etc. No password, login, or any other messy security measure in place to make it difficult to share - just a URL. Only people you’ve shared this URL with can find those photos - with one exception I’ll get to in a minute. Our customers love this feature, and have worked with us over the years to specifically design it this way.

Now, there is one exception, and this is the crux of Philipp’s blog post: you can, in theory, guess the URL and view the photos. This is absolutely true, but let’s remember two things:

• It’s difficult to guess a photo from among a sample size nearly 250,000,000 strong.
• We offer *lots* of additional options to make this impossible should you want to. This is key - we let you “dial in” the level of privacy and security you want, and this single, lone setting is just the tip of iceberg.

Philipp is absolutely right, guessing a photo from among 250,000,000 is easier than guessing a photo from a GUID. It’s still very difficult. I wish I’d done GUIDs when we first started, but to be honest, I just didn’t know what they were. That’s my fault. As I explained to Philipp, we’re willing to overhaul our system to use GUIDs - a very expensive proposition - except that no-one has ever asked for them, to my knowledge, in the 5 years we’ve been in business. Again, most of our customers appreciate that the privacy setting works the way it does, and appreciate that they have lots of additional privacy and security precautions they can take. Try winning the $1000 yourself, if you don’t believe me.

In conclusion, you, as the customer, have full control over exactly who can view your photos, as you have always had. We can clearly make some improvements to our UI to make it more obvious what’s going on, and especially to make it easier to “Lock it down”. We’re also willing to move to GUIDs if our customers ask us, just like we’re willing to do almost anything our customers ask us to. Please do let us know.

After the jump, the full emails I sent to Philipp, un-edited, and some details about the privacy hole I plugged this weekend, thanks in part to Philipp’s investigation.

(more…)

I’ve been getting a little flack for not joining DataPortability.org and want to set the record straight:

• SmugMug has believed since the beginning that your photos and metatdata are yours to do with what you will. We view them as being on loan to us for safekeeping, and we take that role very seriously.
• SmugMug has emailed DataPortability to see about joining, contributing, whatever. No response. Don’t ask me why - ask them. I imagine they’re busy.
• SmugMug already supports OpenID (and better support is coming), XFN & FOAF, RSS, Atom & KML, and has a rich API to both store and retrieve your data.
• We’re committed to all of the ideals that DataPortability.org is pushing, and hope to see this stuff become the rule, rather than the exception.

While I’m on my soapbox, I think it’s important to note that many of the participants in the DataPortability project have been making their data portable for many years. I’m not sure why the media is trumpeting each new company that joins as if it’s just gotten religion, but companies like Flickr and SixApart (and us) have been doing more than talking about this for a long time. Give credit where credit is due.

Anyway, whenever we figure out how we can contribute, we will. We love the idea of our customers’ data being portable. It’s the right thing to do.

SmugMug isn’t your normal Silicon Valley startup. We do everything differently. And Jessica Guynn’s Column One article on the front page of the LA Times this morning captures our quirky nature perfectly. If you want a glimpse into our mad, wonderful world, head on over there for a great read.

Special thanks to Terry Chay and Stan Chudnovsky for introducing Jessica and making sure I followed up with her.

And an extra special thanks to all of our customers who’ve become part of the family and made SmugMug the company it is today. You’re the best!

I’m flattered! TechCrunch, GigaOM, Read/WriteWeb and VentureBeat have joined forces to award prizes to the best startups. And SmugMug is one of the finalists - for Best Design! I’m so used to us getting overlooked in these sorts of things that I was completely blindsided.

But enough about that - do me a favor and go vote for SmugMug! (And you can vote once a day - so keep coming back. Please?) I know we have *lots* of iPhone readers, so don’t forget to vote on your phone!

We’re currently trying to track down our mascot, Smuggy, who’s gone world-traveler on us. You can help! (And win an all expenses paid trip to Napa Valley in California)

He was last spotted in China on top of the Great Wall:

Have you seen Smuggy? Snap a shot, let us know!

Got a funny bone and a camera? Think you’d enjoy a fabulous weekend for two at a luxury resort in California’s Napa Valley? Have I got the contest for you!

The contest is simple: Grab your camera and take a photo of Smuggy, our mascot, in an outrageous, exotic, or surprising locale and you could score big. No purchase necessary, open to anyone in the US. (Sorry to our friends around the world - dang lawyers! )

Create a Smuggy out of whatever you’ve got handy or drop us an email and we’ll send you stickers, camera straps, and more. Here’s our very first entry:

What are you waiting for? Read the rules and get shooting!

I’m happy to announce a few API-related things:

• v1.2.0 is now marked as stable. Everyone should be safe to use this.
• v1.2.1 is now the new beta release and introduces lots of new stuff. The docs aren’t fully updated yet, but you can read about the new methods and variables on this dgrin thread.
• A SmugMug API contest! Win an iPhone (or something of equivalent value if you’re not in an iPhone territory or just don’t want one)

I’m hoping we can make contests like these a regular occurrence, but we’ll see how this one goes first.

You can find all the details over on this dgrin thread announcing the contest.

Oh, and don’t forget that SmugMug API developers get lifetime free Pro accounts. So there’s no cost to enter and play.

Good luck!

At SmugMug, we think one good deed deserves another, so we happily donate free Pro accounts (normally $150/year) to non-profit organizations. We’ve been doing this for years, but I just realized I’d never blogged about it. Silly me.

So if you’re involved with a non-profit and would like to use the world’s best photo sharing site to make your work easier or share it more meaningfully, just drop us a line. We’re happy to help.

On a related note, we do the same for API developers.

Read over on O’Reilly Radar about David Recordon’s post at Six Apart entitled We Are Opening the Social Graph. He talks about the emerging tools and technology to allow shared social graphs, like OpenID, XFN, FOAF, and others.

Given that Thursday night is ‘Release Night’ at SmugMug and I had a few minutes to kill, I felt inspired and whipped up XFN and FOAF support to compliment the partial OpenID support SmugMug already has. (I apologize for not finishing our OpenID implementation yet, but I’m finding OpenID 2.0 to be a complete disaster and find myself at a loss as to what to do. Anyway, I digress…).

I’m absolutely positive we’re barely scratching the surface, and people like David will set me straight, but at least we’re making forward progress - 150K SmugMug accounts now have auto-discoverable FOAF, embedded XFN, and are OpenID endpoints.

What does this mean for you? It means, hopefully, that SmugMug can play nicely with other social applications on the web. Your network of friends & family is now published in machine-readable formats so that other networks can do intelligent things with that data. How exactly this will happen remains to be seen, but there are lots of bright people thinking about it, so hopefully it’ll happen.

At the very least, when the Semantic Web actually works in the year 2022, SmugMug will be ready.

UPDATE: I should have mentioned that these technologies do properly obey your SmugIslands and other related privacy settings to protect you should you not want to share this information.