Apparently the popular photo sharing site Smugmug has a huge security hole that could allow anyone with a bit of common sense to access private photos on Smugmug. The basic problem here is that Smugmug uses URL’s for public and private galleries in a way that can be easily guessed. And whats even more shameful is that the people behind the site are aware of this issue, but they seem to be too keen to say that this is intended behavior.

If seeing private photos via publicly accessible URL’s is what you call intended behavior then I have nothing else to say to the Smugmug team..

Let me take an example here, when I typed in http://www.smugmug.com/gallery/1021 into my browser, i was looking at a collection of photos that were perhaps not meant for people like you and me to have a peak at. Ofcourse Smugmug has other features like password protection, but I’m sure that most users would take password protection as an added trouble in making photos private. They probably think that by marking them as private, no one else except them could see it. But things don’t work that way at Smugmug.

This hole was discovered by Google Blogoscoped and here is what the CEO of Smugmug Don MacAskill had to say to Google Blogoscoped :

“…we view security and privacy as two separate, but related, issues. Security is like locking your front door (no-one can get in with out a key) and privacy is like closing your window drapes (no-one can look in from the outside, but you can tell people where you live and they can visit without a key).

At SmugMug, the feature you’re talking about, private galleries, falls under the privacy umbrella, not security. It’s intentionally designed so that you can “tell other people” about your photos (share a URL in an email, embed or hyperlink on your blog or message forum, etc) without having to share something like a password. Only people you’ve shared this URL with can find the gallery and/or photos in question.

But the URL’s that Smugmug generates for their private photos can easily be guessed and anyone who’s got a little bit of common sense could figure it out and look at photos they aren’t supposed to be seeing. A possible alternative for Smugmug would be to use URL’s like the ones Flickr uses that is based on the GUID of the image.

Have a look at these URL’s (these are private photos):

• On Flickr : http://flickr.com/photos/21355799@N02/2202765901/in/set-72157603746681202/
• On Smugmug : http://www.smugmug.com/gallery/1021

Things clearly aren’t looking good for Smugmug here. Someone could develop a bot that would download all private images from Smugmug and put it for everyone else to see, something that happened recently with Myspace.

Via Google Blogoscoped

Here is what Wei Zhu of Facebook had to say about the new library

Since the library does not require any server-side code on your server, you can now create a Facebook application that can be hosted on any web site that serves static HTML. An application that uses this client library should be registered as an iframe type. This applies to either iframe Facebook apps that users access through the Facebook web site or apps that users access directly on the app’s own web sites. Almost all Facebook APIs are supported.

I have to say, that this really is a good move considering the popularity that the Facebook Apps have. If the developers could take it beyond Facebook and leverage the power of the Open Web, then it means a big win for Mark Zuckerberg and team.

Well this announcement has its own share of privacy concerns as well. The most important thing is that Facebook now have a way from which they can collect even more data about its users and what they do on the web, by using the power of cookies.

Facebook is definitely trying to be a Internet major here, and is trying to muscle up its power to control the web. Looking from another perspective though shows Facebook trying to unleash the potential of the Web. By allowing developers to build more and more applications for the open web, Facebook now has a way to add more and more new members into its service, while retaining control over the millions of relationships that other users of Facebook have aka the Social Graph.

But this announcement can possibly be a game changer and by becoming a application host. This move would surely make other competitors think about become app hosts themselves, by opening up their platforms for developers to use and build apps that would run anywhere on the Web.

• Disable WordPress Core Update

Completely disables the core update checking system which is a new feature in WordPress 2.3. The plugin prevents WordPress from checking for updates, and prevents any notifications from being displayed in the admin area. Ideal for administrators of multiple WordPress installations.

• Disable WordPress Plugin Updates

Completely disables the plugin update checking system which is a new feature in WordPress 2.3. The plugin prevents WordPress from checking for updates, and prevents any notifications from being displayed on the Plugins page. Ideal for administrators of multiple WordPress installations.

If you use the plugins for Wrdpress, then I suggest you manually update your WordPress Installation and Plugins everytime a new update comes out, because they include a lot of security fixes and new features.

Via Quick Online Tips

What is FoxyProxy?

• Want fine-grained control over which websites load through proxies?
• Live in Belarus, Burma, China, Cuba, Egypt, Iran, North Korea, Saudi Arabia, Syria, Thailand, Tunisia, Turkmenistan Uzbekistan, Vietnam, or one of the other nations who censor the internet?
• Can’t get to MySpace from school?
• Can’t get to GMail at work?

then foxyproxy is for you!. here is a rundown into its uber cool features…

• Animated statusbar/toolbar icons show you when a proxy is in use
• Define multiple proxies
• Define which proxy to use (or none!) for arbitrary URLs using wildcards, regular expression and other conveniences
• No more wondering whether a URL loaded through a proxy or not: FoxyProxy optionally logs all URLs, including which proxy was used (if any), which pattern was matched, timestamps, etc.
• Out-of-the-box support for Tor with the unique Tor Wizard – zero configuration!
• Temporarily or permanently dedicate all URLs to go through a particular proxy
• Temporarily or permanently disable use of a proxy
• Automatically add blocked sites to a proxy and have them reload through the proxy
• Optional status bar information about which proxy is currently in use
• Complete Proxy Auto-Config (PAC) support
• Download a link using one of your defined proxies with a simple right-click (coming soon)
• Unobtrusive presence, stable execution, premier support
• Optionally force Firefox to perform DNS lookups through a SOCKS4a/5 server. Note that Firefox without FoxyProxy always performs DNS lookups through a SOCKS5 server if you’ve defined one. Only with FoxyProxy can you instruct Firefox to not use defined SOCKS5 servers for DNS lookups.

So Go ahead and try out FoxyProxy and make browsing the web anonymously as easy as biting a piece of cake.