How much does it cost to break into SmugMug.com?

Ophir put together a nice analysis on how much it would cost to break the security system of SmugMug.com.
This, in response to a bounty that is advertised on their web site.

I think he’s being generous. The really bad guys (people who make money from cybercrime) have access to countless of “free” machines; the crackers can easily break into a few boxes to use them for the attack Ophir describes. But mainly he’s being generous because he is giving them free security consulting, which is what they really need. Hey, SmugMug guys: a security contest is not a cheap replacement to an actual security audit (or consulting with an expert) just like bug bounties are not replacements for QA.

And only god knows why in 2007 the notion of my-url-is-so-long-nobody-will-guess-it is still alive. What do they teach in CS anyway?

Share
  • Just Guess

    The numbers aren’t that hard to guess – they are apparently related in some way to the “uptime” of the service (not server) and are therefore not sequential.

    I can easily find from (Note Ti means Thumbnail – less network load if found):
    http://www.smugmug.com/photos/54287630-Ti.jpg

    This one:
    http://www.smugmug.com/photos/54287636-Ti.jpg

    Then if I want I can replace Ti with L, XL or even SuperSizeMe (joking)

  • http://dontknow Dude

    woohoo!

  • http://dontknow Dude

    woohoo! funfun

  • -mozza-

    if I have a smugmug password protected gallery’s url, can I figure out how to get in?