A post entitled SmugMug's Private Pics Are Public caught my eye yesterday. The news doesn't sound too surprising, since these types of security problems aren't at all uncommon, but Don (SmugMug's CEO) is a friend of mine, and I know he takes security very seriously. (He's also fairly proactive about research; he and his team independently discovered CSRF a few years ago, without realizing it was a known problem.)
The author of the post makes a revealing comment in the opening paragraph:
I've failed to convince the site makers this vulnerability is worth fixing.
This sounds like code for:
I've failed to determine whether this is really a security problem.
Blatant attempts to bias me (the reader) usually make me question the legitimacy of the argument instead. But, I read a lot of blogs, so I'm used to a certain amount of embellishment and distortion, particularly when someone is trying to get attention. (Read anything about PDO lately?)
The heart of the issue is a distinction between privacy and security, which Don mentions in his response:
Your private photos are still private. Your secure photos are still secure. Note that there is a difference; this is an important distinction.
He also offers an incentive for those who wish to help test and improve SmugMug's security:
Iâ€™ll give $1,000 USD to anyone who can get a copy of this photo.
I think Don does have a problem, and although it might not be a security problem, it's at least as important. The author of the original post is focusing on a single option, where a user can set public to Yes or No. Immediately beside this option is an explanation:
Show this gallery on your home page?
Despite this explanation, the author believes that choosing No does much more than omit the gallery from his home page. He assumes that it prevents any unauthorized access, despite a separate option for password-protecting a gallery. (I don't fault him for this at all, thus why I think Don has a problem.)
This is a user experience problem. SmugMug lets users fine-tune their privacy and security settings, but these settings are provided as booleans, so each one can seem very absolute, particularly when using labels like public. It also requires users to use a common and very precise vocabulary regarding privacy and security, where any misunderstanding can result in undesired behavior.
I asked Jon about this, since he's a user experience guru, and he guessed that the data model was driving the interface. This seems likely, but coming up with a simple way to define a particular combination of privacy and security settings can be challenging, especially when there are so many.
Apple's Airport Utility includes an option to create a closed network, which means to join the network, a user must know the name of the network.
I usually rely on Apple to set the standard for user experience, but I'm not particularly impressed with their interface either. Doesn't it seem possible that a user might expect a closed network to be truly closed in the same way that a user might expect a private gallery to be truly private?
Knowing Don, he's already hard at work trying to come up with a better way to present these settings. Here's hoping we can all take a moment to consider how important user experience is the next time we're developing a security feature.
Posting highlights of the previous year has become a blogging clichÃ©, but this is my 5th consecutive year doing so, and it's a tradition I hope to keep. It gives me a nice record of the previous year as well as a chance to make my plans for the upcoming year public. Nothing like sharing your goals with a few thousand friends to motivate you. :-)
I devoted a lot of my time and effort to work, and I hope the results will speak for themselves in the coming year. In an effort to continue to attract top talent, we recently opened an office in New York, widely considered to be the greatest city in the world. For those familiar with New York, the office is in DUMBO, a Brooklyn neighborhood that boasts such establishments as world-famous Grimaldi's Pizzeria, Jacques Torres Chocolate, River CafÃ©, Superfine, Brooklyn Ice Cream Factory, and Brooklyn Bridge Park. (I could go on.) With great colleagues, interesting and challenging work, and an awesome neighborhood, going to the office is something I look forward to every morning. (We have some extra desks if you're interested.)
Christina and I bought our first home. It's in Prospect Heights, another awesome Brooklyn neighborhood just steps from Prospect Park, where I play soccer every weekend. We're also in close proximity to Bierkraft, The Chocolate Room, Le Gamin, Gorilla Coffee, Tea Lounge, Joyce Bakeshop, Union Hall, and Tom's Restaurant. (Again, I could go on. Can you tell I love Brooklyn?)
Other highlights include:
In February, I attended the inaugural Kiwi Foo Camp. (I was fortunate enough to be invited to the inaugural Foo Camp a few years prior, but I wasn't able to attend until the following year.) I met some interesting people and got a chance to visit New Zealand and Australia for the first time.
In March, I unveiled a major update to my blog, including an award-winning new design by Jon Tan.
Also in March, I disclosed a CSRF vulnerability in Amazon after a year of silence.
In April, I participated in my first CSS Naked Day. It was a chance to show off my new design, particularly the fact that the design is more than skin deep.
In August, I participated in the 10th and final Midnight Madness, my 5th, and we won!
In September, OmniTI turned 10.
In December, I organized the first PHP Advent Calendar, hopefully creating a new tradition.
I didn't blog nearly as much as I would have liked, dropping from 106 posts in 2006 to 66 posts in 2007. Hopefully I can regain my inspiration for learning and sharing what I know.
I did manage to speak at fewer conferences:
Spoke at PHP Quebec for the third time. (15 - 16 Mar)
Spoke at php|tek for the third time. (16 - 18 May)
Spoke at OSCON for the fifth time. (23 - 27 Jul)
Spoke at php|works for the fourth time. (13 - 14 Sep)
Spoke at the Future of Web Apps for the first time. (01 - 05 Oct)
Spoke at ZendCon for the third time. (08 - 11 Oct)
Spoke at the DC PHP Conference for the second time. (07 - 09 Nov)
Spoke at ApacheCon for the fourth time. (14 - 15 Nov)
I'm particularly proud of this, since I have been trying to reduce my travel time for a few years. I also gave two keynotes, including the opening keynote at the DC PHP Conference.
This time next year, I hope to include the following in my highlights:
A Useful Open Source Project
A Cool Web Site
A Successful Year for OmniTI
Another Injury-Free Year of Soccer
More Blog Posts
I hope everyone has a wonderful 2008. :-)