Privacy, Security and Elastic Computing

There is an interesting contest going on in SmugMug image sharing site,  you can get 600$ if you can find a security hole in their system.

This is the result of an an interesting debate if security and privacy are separated and how privacy and probability are related.

The core of the issue is that images that are marked “private” are actually public URL’s which can be easily enumerated. While SmugMug offers stronger mechanism for access control, I do believe this one creates a false sense of security.

SmuMug is a great site and it seems the people who make it are really innovative and smart. However, in the end, the question is how much would it cost to break it, assuming there is one evil person who wants to abuse it.

The surprising answer is 2535$.

 I’ll demonstrate by assuming there is one evil person in the world who hates SmugMug for being so cool and successful.

This person decides to spend his hard earned money to create a publicity nightmare.
Lets assume there are 1 Million real picture out of the 250 Million possible URL’s (the actucal number does not really matter).

He spends 500$ (100*0.01$/HR*5000HR) to get 100 servers from Amazon EC2 and use them for 2.08 days. Each server can send 50,000 HTTP requests per hour.
After 2 days the evil person knows exactly the links to the one million “private” pictures ( 50*50,000*100 = 250,000,000 ).

He needs to pay 10$ for bandwidth for the pictures ( 1M * 0.1MB * 0.0001$/MB).
The non existing links would cost 25$ ( 250,000,000 *0.0001$/MB *0.001

Total cost is 535$ to get all the pictures.
BTW, since SmugMug is using amazon’s S3, bandwidth cost would probably be 0$ since bandwidth between S3 and EC2 is free )

In order to find the interesting ones he uses Amazon Mechanical Turk. He pays 0.01$ for 5 images classification (a HIT) so the total cost would be 2000$ (1M * 0.01$/ 5).

Now the evil hacker can post top 1000 photos in Flicker and get his evil wish fulfilled (2535$ cost)

To make matters worse, a cheap evil person can accomplish the same task with a zero cost, using JavaScript & open web sites. This is very early in the morning, so I might have missed some of the calculations, but the order of magnitude seems fine.

So, I suggest SmugMug keep doing the great work they are doing, but also invest the time and effort to fix this issue.

The fact no one has complained so far, is merely because the attack didn’t take place so far. Security through obscurity does not work in the long run.

It is a shame that one evil person can cause so much work and harm to so many good people, but that’s life.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: