Tag Archives: news

Reviews

Flickr tightens up image security

Given my concern with image theft, I do not like to hear about Flickr hacks. A while back, a Flickr hack circulated around that allowed people to view an image’s full size even if the photographer didn’t allow it (provided the image was uploaded at high resolution.) The hack was based on Flickr’s standard URL structure for both pages and image file names, and allowed people to get at the original sizes in two ways. It was so easy to use, and the security hole was so big, that I was shocked Flickr didn’t take care of it as soon as the hack started to make the rounds.

It’s been a few months now, and I’m glad to say the hack no longer works. I’m not sure exactly when they fixed it. Since it’s no longer functional, I might as well tell you how it worked, and how they fixed it.

D

First, let’s look at a page’s URL structure. Take this photo of mine (reproduced above). The URL for the Medium size (the same size that gets displayed on the photo page) is:

http://flickr.com/photo_zoom.gne?id=511744735&size=m

Notice the last URL parameter: size=m. The URL for the Original size is the same, except for that last parameter, which changes to size=o. That makes the URL for the original photo size:

http://flickr.com/photo_zoom.gne?id=511744735&size=o

Thankfully, that no longer works. If the photographer disallows the availability of sizes larger than Medium (500px wide), then you get an error that says something like “This page is private…”

Second, they’ve randomized the actual file names. So although that image of mine is number 511744735, and it stands to reason that I would be able to access the file by typing in something like http://farm1.static.flickr.com/231/511744735_o.jpg, that’s just not the case. Each file name is made up of that sequential number, plus a random component made up of letters and numbers, plus the size indicator. So the actual path to the medium size of the image file is:

http://farm1.static.flickr.com/231/511744735_b873d33b12_m.jpg

This may lead you to think that if you can get that random component from the URLs of the smaller sizes, you can then apply the same URL structure to get at the larger size, but this is also not the case. It turns out that Flickr randomizes that middle part again for the original size. So although it stays the same for all sizes up to 1024×768, it’s different for the original. For example, the URL for the original size of that same photo is:

http://farm1.static.flickr.com/231/511744735_d3eb0edf2d_o.jpg

This means that even if you go to the trouble of getting the file name for one of the smaller sizes, you cannot guess the file name of the original photo, and this is great news for photographers worried about image theft.

While I’m writing about this, let me not forget about spaceball.gif, the transparent GIF file that gets placed over an image to discourage downloads. It can be circumvented by going to View >> Source and looking at the code to find the URL for the medium-size image file. It’s painful, but it can be done, and I understand there are some scripts that do it automatically. The cool thing is that after Flickr randomized the file names, it became next to impossible to guess the URL for a file’s original size. The best image size that someone can get is 1024×768, which might be enough for a 4×6 print, and can probably be blown up with special apps to a larger size, but still, it’s not the original.

Perhaps it would be even better to randomize the file name for the large size as well, so that it’s different from the smaller sizes and the original size. That would definitely take care of the problem. Still, this is a big step in the right direction.

Standard
Thoughts

Google to buy FeedBurner in next 2-3 weeks

I thought it odd that I got no reaction whatsoever from the FeedBurner folks when I compared their site stats service with Google Analytics back in April, and deemed FeedBurner superior. I keep in touch regularly with a couple of folks from FeedBurner, and when I write about them, I usually get a little note by email or a comment on my post. But I got nothing this time. I thought, “Hmm, something’s gotta be up. What’s going on between FeedBurner and Google? Did I ruffle some feathers?” The complete silence was unusual. I could hear virtual crickets chirping away…

Fast forward about a month, and I find out this afternoon from Beta News that Google and FeedBurner are in acquisition talks. The quoted price is $100 million. It’s a sane price, not a make-believe one, like the one paid for Doubleclick or that other ad company that MS purchased (those prices were absolutely and ridiculously inflated). I actually believe FeedBurner brings much more value to the table than those two companies combined, so the $100 million is a real bargain. I hope for FeedBurner’s sake the price is more than that in the end.

Anyway, if this does turn out to be true, I’m happy for the FeedBurner folks, and wish them all the best. May they teach Google a thing or two about feed management and other such fun stuff. Cheers, guys! Thanks for the awesome service!

Standard
Reviews

The new and improved Google Analytics

I’ve just been playing with the new Google Analytics interface, and wow, that’s a seriously cool improvement over the old one! Google announced this a few days ago, and I waited to see when the change would take place in my account.

I logged in a few minutes ago and was given a choice between using the old interface and the new one, which is still in Beta. Chose the new one, of course, and was blown away by the overhaul! My gosh, it’s clean, crisp, much easier to use, and it lets you dig down as much as you want to, but doesn’t overwhelm you if you just want to get the bird’s eye view.

What I also like is that they’ve buried the AdWords campaign tracking stuff down toward the bottom, and it’s even less visible than before. That’s great for me, since I’m not currently running any AdWords campaigns for ComeAcross, and wasn’t tracking the conversion anyway. My traffic’s pretty much organic, and it’s been steadily growing since I launched my blog last year.

You’ve got to have a look when you get a chance. Log in, and definitely play around with the new interface if you’re given the option. You will not regret it! I criticized Google Analytics for their hard-to-use interface in a previous post, but that was before this gorgeous new overhaul.

Now if they’d only fix their persistent login issue… Just about every other Google property knows I’m logged into my account and lets me right in, but Google Analytics always asks for my password, and that’s a bit annoying.

Standard
Lists

Condensed knowledge for 2007-05-05

Getting right to the links:

  • English Russia has photos of some amazing cakes made by a baker from St. Petersburg called Zhanna. They’re completely edible and very creative. I can’t even begin to imagine the work that goes into making them, but I’m sure it’s not easy.
  • The police have started to arrest children and treat them as adults. Just plain weird, and not right. It’s one thing to scare them by taking them to the police station and going through the motions of that whole process, but it’s quite another to actually create arrest records for them. That stuff will haunt them throughout their adulthood.
  • How does Google rank your blog? You might want to read this and find out.
  • Check out the pessimist’s mug.
  • This is by far some of the best advice I’ve read in a long time. A kind fellow has put together a list of things you can do to ensure survival during hard times (occasions such as natural disasters, wars, food shortages, cold weather, etc.). It’s most definitely worth a read, but make some time first — it’s going to take 15-20 minutes to get through it.
  • ETFE (Ethylene Tetrafluoroethylene) is an amazing polymer that is finding its way into some pretty innovative modern achitecture. Have a look at this BusinessWeek article, and also see the photos.
  • Here’s how to see EXIF data right in your Mac’s Finder.
  • The Daily Show has a great video segment of Bush debating Bush on the Iraq war.
  • ASIFA has a wonderful post on why you should be original and not copy others. Great stuff!
  • Shorpy, my favorite 100-year old photo blog, has transcribed a typed letter used in one of the episodes of “Leave It To Beaver”. It was supposed to be from Mrs. Rayburn to Beaver’s dad.
  • It’s a blog post like this that lets me know I’m right for being pro-choice.
  • Did you know some credit card companies will penalize you for paying your credit card on time and in full? If you’ve had this happen to you, I say it’s time to ditch them.
Standard
Lists

Condensed knowledge for 2007-05-04

Here’s the good stuff:

Standard