

On the dangers of autoincrementing: SmugMug's private pics are public - edw519
http://blogoscoped.com/archive/2008-01-28-n59.html

======
sanj
This article is important, but seems a little technically sloppy. The issue
isn't about autoincremented IDs, but the fact that they are used as external
identifiers. The specific reason they shouldn't be used is that they are
guessable.

It also confuses the concept of a GUID a little, I think. That refers to a
global UID, which could reasonably be a URL+autoincremented number: global and
unique.

But guessable. Which is the core issue.

I try to consider external IDs like passwords: create a cryptographically
strong hash, using some salt, and externalize that.

~~~
brlewis
Worse, the most common GUID is 128 bits formed from (I think) a MAC address
plus a timestamp. They are designed for uniqueness, not non-guessability.

On ourdoings.com photos are given unique, random URLs. No nude photos allowed,
though.

~~~
sanj
Pikans responding to pikans.

The world continues to shrink.

------
raghus
Joshua Schachter's (del.icio.us) views on auto-incrementing:
<http://joshua.schachter.org/2007/01/autoincrement.html>

~~~
jgrahamc
Another problem with auto_increment occurs when the user id comes from an
auto_increment field. By signing up as a new user once a week and observing
your own user id you can measure the rate of growth of a competitor.

~~~
xirium
"By signing up as a new user once a week and observing your own user id you
can measure the rate of growth of a competitor."

I've done similar with cheques. In a previous job, I was paid by cheque. Each
month, I logged the cheque number. From this and taking into account other
payment methods, I determined that the company had significantly fewer
transactions than the boss claimed.

------
toffer
Don MacAskill (SmugMug CEO) has posted a response on his blog:
[http://blogs.smugmug.com/don/2008/01/28/your-private-
photos-...](http://blogs.smugmug.com/don/2008/01/28/your-private-photos-are-
still-private/)

Says Don: "To us, privacy and security are two separate, but related, issues.
One analogy we use often is that security is like locking your front door and
arming your alarm (no-one can get in without a key), and privacy is like
closing your window blinds (no-one can look in from the outside, but you can
tell people where you live and they can visit without a key)."

~~~
sharksandwich
There's a lot of wisdom in the saying 'when you find yourself in a hole, the
first thing to do is stop digging'

His explanation isn't convincing, and certainly doesn't reassure anyone whose
private photos were revealed

------
scooter53080
It seems like this is working as designed. The problem is different
definitions of "private," which I think SmugMug is wrong on. While the setting
is functioning as they intended, I do not consider it to be private. If the
label were "not displayed" this issue would probably not have come up.

