DPChallenge: A Digital Photography Contest You are not logged in. (log in or register
 

DPChallenge Forums >> Web Site Suggestions >> More secure workshop images
Pages:  
Showing posts 1 - 25 of 26, (reverse)
AuthorThread
 05/16/2007 08:25:59 PM · #1
With the start of the DPL, more and more people are submitting preliminary images to their workshops for discussion with the rest of their team. I think this is a great idea. However, workshop images are not completely secure. Simply by entering the wrong image number, it is possible to see someone else's workshop entry. Granted, it's not terribly convenient to do so but it is still possible.
I still see the old use of the workshop (for temporary images) as existing so I don't want to change the way it works. I would just like a way to 'secure' an image so only those people I want to allow can see that image.
The existing security on the workshop is based off "security by obscurity". This means that it's secure because no one knows it's there. With the web addresses of these images being based on the image numbers which increment linearly, it's really easy to guess numbers and see images (and hence not very obscure). I see no reason to use a different style of security (as they're just images) but can we change the web address to use something other than the image number? For example, if the image link became: //www.dpchallenge.com/image.php?IMAGE_ID=sdf4289sas23rff, no one would be able to guess it yet everyone who sees the link (i.e. was given permission by the owner) will still be able to view the image.
 05/16/2007 08:30:00 PM · #2
Solution

Disallow direct access to workshop images without a VALID REFERRER URL.

If it is just typed in this will disallow, Best way is to redirect somewhere else instead of saying denied.

If the thread links to the workshop image it will include a valid referrer url in the headers.

Creates a Problem
People can generate a list of thumb numbers they cant seem to get to and put it in a thread to view them.

Solution to that
Seperate section in workshop that only accepts Referrer URL's from private threads.....
 05/16/2007 08:32:20 PM · #3
the irony of this thread is that it tells everyone a flaw that most people would not have thought of increasing the chances of it happening
 05/16/2007 08:40:35 PM · #4
Originally posted by electrolost:
the irony of this thread is that it tells everyone a flaw that most people would not have thought of increasing the chances of it happening


I realize that, but that's the standard problem with security issues. Once found, how do you let people know about the problem without letting them know about the problem...

Hopefully the SC will jump on this one fast and fix it.
 05/16/2007 08:42:28 PM · #5
Originally posted by electrolost:
the irony of this thread is that it tells everyone a flaw that most people would not have thought of increasing the chances of it happening


Its been mentioned in threads before so the irony is lessened minus people who are paying attention.

Ironicly the more its replied to the more people tend to read it lol.
 05/16/2007 08:43:54 PM · #6
I imagine it would take a lot of random image numbers to find somebody's picture that would be used for a challenge. And if you did stumble upon one, then what? The only real purpose I could see is if you wanted to "steal" somebody's idea, because ultimately you would see the image during the voting phase anyway.
 05/16/2007 08:44:30 PM · #7
I knew it was possible Wow, someone would have to be like really anal to actually go through and do it. Besides, with a hit or miss method like that, what's the REAL risk? Anonymity? I don't think it's THAT big of a deal.

Message edited by author 2007-05-16 20:44:52.
 05/16/2007 08:46:31 PM · #8
Originally posted by mad_brewer:
I imagine it would take a lot of random image numbers to find somebody's picture that would be used for a challenge. And if you did stumble upon one, then what? The only real purpose I could see is if you wanted to "steal" somebody's idea, because ultimately you would see the image during the voting phase anyway.


Very true, it's a shot in the dark when you enter a random number, but still possible. And, why do we not let people see current submissions to challenges... so they don't steal ideas.
I'm not saying its the end of the world, just inconsistent.
 05/16/2007 08:48:17 PM · #9
Originally posted by jrdawson:
Originally posted by mad_brewer:
I imagine it would take a lot of random image numbers to find somebody's picture that would be used for a challenge. And if you did stumble upon one, then what? The only real purpose I could see is if you wanted to "steal" somebody's idea, because ultimately you would see the image during the voting phase anyway.


Very true, it's a shot in the dark when you enter a random number, but still possible. And, why do we not let people see current submissions to challenges... so they don't steal ideas.
I'm not saying its the end of the world, just inconsistent.


Well it can be but doesnt have to be. You can look at recently uploaded images pick two images that have alot of number space between them. Look at all the numbers (could be 5 could be 20) your bound to find a workshop image.

Thats hit and miss but current workshop image numbers are gonna be within a limited range.
 05/16/2007 08:51:00 PM · #10
Originally posted by mad_brewer:
I imagine it would take a lot of random image numbers to find somebody's picture that would be used for a challenge.


Actually, that's not true at all. I'm not going to spill the beans ... Edit: Rainmotorsports spilled the beans... =P

Unfortunately, from what I can tell of the infrastructure, there may not be an easy solution to this for now, except to disallow workshop photo viewing - perhaps from everyone but your DPL teammates.

Longer term, adding a "Restrict to DPL team" checkbox to the photo properties may be in order.

-Jeff

Message edited by author 2007-05-16 20:52:34.
 05/16/2007 08:51:56 PM · #11
Originally posted by mad_brewer:
I imagine it would take a lot of random image numbers to find somebody's picture that would be used for a challenge. And if you did stumble upon one, then what? The only real purpose I could see is if you wanted to "steal" somebody's idea, because ultimately you would see the image during the voting phase anyway.


Not really. I just found a bunch that look like possible challenge entries from people not on my team.
 05/16/2007 08:55:35 PM · #12
There's a really naughty image in my workshop folder, you guys have 5 minutes to find it.
 05/16/2007 08:57:28 PM · #13
Originally posted by fotomann_forever:
There's a really naughty image in my workshop folder, you guys have 5 minutes to find it.


What? And risk seeing another Got Cheese shot or worse? No way!
 05/16/2007 08:57:49 PM · #14
Another way to see workshop entries is to look at someone's recently made or received comments. I was just looking at someone's comments made and he has given a few on workshop photos, I assume from his teammates. So if the image #'s in the URL are going to be disabled, then the comments have to be as well.
 05/16/2007 08:59:51 PM · #15
Can we have this thread title changed to "How to make the workshop images less secure?" :P
 05/16/2007 09:03:27 PM · #16
Originally posted by yanko:
Can we have this thread title changed to "How to make the workshop images less secure?" :P


How about: "Keep posting so this thread stays on the front page." =P
05/16/2007 09:09:12 PM · #17
Originally posted by smurfguy:
Originally posted by yanko:
Can we have this thread title changed to "How to make the workshop images less secure?" :P


How about: "Keep posting so this thread stays on the front page." =P


Well, we do have to let everyone know about this little travesty ;-)
 05/16/2007 09:09:25 PM · #18
Originally posted by jrdawson:
Originally posted by electrolost:
the irony of this thread is that it tells everyone a flaw that most people would not have thought of increasing the chances of it happening


I realize that, but that's the standard problem with security issues. Once found, how do you let people know about the problem without letting them know about the problem...

Hopefully the SC will jump on this one fast and fix it.


There is always the Contact Us page...

~Terry
 05/16/2007 09:53:59 PM · #19
Originally posted by ClubJuggle:
There is always the Contact Us page...

already been there ;-)
 05/16/2007 10:09:28 PM · #20
Originally posted by Skip:
Originally posted by ClubJuggle:
There is always the Contact Us page...

already been there ;-)


And what size did you want your T-shirt to be? :)
 05/16/2007 10:10:35 PM · #21
Originally posted by yanko:
Originally posted by fotomann_forever:
There's a really naughty image in my workshop folder, you guys have 5 minutes to find it.


What? And risk seeing another Got Cheese shot or worse? No way!


Too late, it was hot and I deleted it.
 05/16/2007 10:12:13 PM · #22
Originally posted by fotomann_forever:
Originally posted by yanko:
Originally posted by fotomann_forever:
There's a really naughty image in my workshop folder, you guys have 5 minutes to find it.


What? And risk seeing another Got Cheese shot or worse? No way!


Too late, it was hot and I deleted it.


I would weep, but I'm too busy smiling. :)
 05/16/2007 10:25:34 PM · #23
Originally posted by L2:

I would weep, but I'm too busy smiling. :)


:-D
 05/18/2007 11:02:14 PM · #24
Well, until DPC fixes this (maybe they have and I haven't noticed), here's an alternative option I threw together for my team, and I'll share it with you all.

jrdawson is right - security by obscurity is ok as long as your filenames are random enough. So I've put up a page on my website where you can upload your images, and it will give them a 128-bit hashed filename (i.e. impossible to guess).

As long as you only post the link in your private DPL thread, nobody will ever find it.

After you upload, it generates a thumbnail and gives you the forum code to paste into your post, complete with a linked image preview, just like those at DPC.

//www.onetacoshort.com/upimg.php

Let me know if it works for you!

Here's an example:



(I hope Brad doesn't mind me posting more of his shots - they're really great!)

Cheers,
-Jeff

P.S. Sorry Leroy, I realize this may defeat the purpose of "accidentally" leaving racy images lying around in your workshop. =)
 05/18/2007 11:06:13 PM · #25
Originally posted by jrdawson:
Originally posted by electrolost:
the irony of this thread is that it tells everyone a flaw that most people would not have thought of increasing the chances of it happening

... how do you let people know about the problem without letting them know about the problem...

Send a Help/Contact ticket to either Langdon or SC.

edit - typo

Message edited by author 2007-05-18 23:07:15.
Pages:  
Current Server Time: 08/29/2025 08:18:46 AM

Please log in or register to post to the forums.


Home - Challenges - Community - League - Photos - Cameras - Lenses - Learn - Help - Terms of Use - Privacy - Top ^
DPChallenge, and website content and design, Copyright © 2001-2025 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Current Server Time: 08/29/2025 08:18:46 AM EDT.