Have Your Online Galleries Been Hacked?

Are Your Boudoir Clients Photographs Safe and Secure Online?

Today in one of the boudoir forums that I frequent, a member posted about her discovery that there was a forum for voyeurs who were hacking their way in to boudoir galleries online. They weren’t stopping at boudoir galleries though — they were logging in to family galleries, and I’m sure other session galleries.

These people weren’t using the usual hacking methods though, at least not at first. They were actually just finding the path to the gallery and from there guessing the password.

Oh, and they started the thread in 2012. [Corrected. This post originally said November, 2013.]

It just took us until 2014 to find out about it.

More recent posts on the thread talked about using extortion to get money from the women in the galleries that they had found. Yes, threatening to post photos to Facebook unless they were paid off.

Then there were the threads about how they had figured out that they could potentially “scrape” all of the galleries from Red Cart, gaining EVERY PHOTO POSTED there. Boudoir or not. Boudoir was what they were after though.

Voyeur Forum RedCart Scraping of Boudoir Photographs

They weren’t just going after online proofing sites (SmugMug, ZenFolio, and RedCart were all mentioned in their thread), but they were also going after online album proofing sites.

Voyeur Forum Suggests Hacking Album Company Site

Now you might think that your online gallery software or your album proofing company should be doing something to protect you from this hacking. The thing is, if you read their Terms of Service? Every single one of them has an “out” written in to their contract. It is your responsibility to make sure your passwords are secure. Beyond that, if someone gets in to them? Not their fault. (*I could argue that RedCart has a bigger issue on their hands if they were figuring out how to pull down every image on their site. Right now isn’t the time for arguing. Right now is the time to FIX THIS situation.*)

Here is SmugMug’s Terms of Service and here is ZenFolio’s Terms of Use and Privacy Policy.

SmugMug's Very Standard Security Information

SmugMug’s Terms are pretty much the industry standard for ANY hosting service. Their responsibility is limited. It is your responsibility to keep your client’s photos safe.

UPDATE: If you are a Zenfolio user, a photographer started a feature suggestion that people can only guess a password 3 times before being locked out of a gallery. If any of you would vote for it, please go here.

The forum has now moved the post to their “Member’s Only” section, so we can’t see what they have added to it at this point. At the time that the post was moved, the thread was 121 pages long.

Thing is, this may be the one forum that we know about, but I promise you – it is NOT the only forum out there with information like this.

Protecting Your Clients

Ok, now that we are all sufficiently panicked about this, let’s talk about what we can DO about it.

1. Never post your client’s images online, ANYWHERE. Realistically, that is the only safe & secure method to use. I went that route a few years ago when we caught someone trying to hack (truly hack, not just guess at passwords) their way in to my online gallery software that I hosted on my own server. I don’t post my boudoir client’s images online. We meet in person to view the images. (I’ve talked before about my whole In Person Viewing process in these posts: overcoming your fear of in person sales sessions, boudoir photography workflow – preparing for in person sales and the magic of in person sales sessions.)

I do however use an online album proofing company and an online slideshow option. I am considering discontinuing both of those services after today.

But I HAVE to do Online Proofing! (Insert reason here.)

Ok, so option #1 isn’t an option for you, for whatever reason. You simply must post your photos online for them to see them.

2. Use a SECURE password. Using your client’s name? Not a secure password. Using “boudoir”? Not a secure password. Using “sexy”? Not a secure password. These and many more obviously easy to guess passwords were being passed around in this forum. An entire boudoir photographer’s gallery was linked, and every single session used the first name as the password. Yes, they worked. No, that is NOT secure. WORDS, no matter how unique they are to your client, are not secure.

(Want to learn more than you ever wanted to know about password security? Wired Magazine – Secure Passwords Keep You Safer and the scary story of how Mat Honan’s entire world was hacked, Wired Magazine – Kill the Password: Why a String of Characters Can’t Protect Us Anymore.)

3. Have a clause in your contract limiting your liability if your galleries are accessed. Do you want your clients coming after you if someone got in to your galleries and took their photos and posted them all over Facebook? No? Then you need to talk with your lawyer to make sure you are protected in case this happens to you. (Yes, just like SmugMug, ZenFolio, and RedCart have in their Terms of Use.) Make sure that your clients understand that no password is EVER completely safe.

Make sure you understand that too. No password is ever completely safe. It is not a matter of if you will be hacked, it is a matter of when. You need to put photos online with that understanding.

From now on, if I ever have to put a gallery online for any reason, I will require my clients to sign a special release for the gallery going online. This is something you should consider not just for boudoir sessions, but for any client. Make sure your client is aware that the photographs could be compromised. For example, some parents do not want their children’s photos viewed by anyone.

4. Be obscure about where your galleries are located at. “One of the best security measures in the online world is “obscurity” otherwise known as “security through obscurity”.

Basically if you have online galleries that you want protected, don’t add them to your main gallery list or your site’s navigation. At Fotomerchant we call them “ghost” pages and only people you give the unique URL to will even know the page exists.

Also, make sure the pages are NOT listed in your sitmap.xml and that your robots.txt does not allow full site crawling and then Google will never know they exist either… Unless you post a link to the gallery somewhere public!

Obscurity is one of the only measures that requires human knowledge in order to crack it” — Derek Clapham, co-founder of FotoMerchant, in response to a private forum post I made about this situation this afternoon.

However, private, hidden, unsearchable galleries were on that list that we discovered. Just making it obscure wasn’t enough for them when they were determined. In some cases, “they were able to find these hidden pages due to the nature of their URL design. It was predictable and based on a number sequence”, said Derek.

5. Pull expired galleries offline. When possible, use FTP to make sure the images are completely removed. If you let the gallery expire and it is still online, the photographs are still stored on a server somewhere. Servers can be hacked, your files can be accessed. Remove them from the server completely when you are done with the gallery or album proof.

Once something goes online, it is never completely safe

Even if you do all of the things listed above, are your client’s photos still secure?

No.

No, they are not.

Hidden, not listed, not linked, unsearchable galleries? ALL were in that post discovered today.

Once these people found the easy to target galleries, they pushed on to find the harder to discover ones. They figured out how to move up and down the gallery structure of the software. How to change the string text to get to a gallery. They kept looking. For almost two years they have been looking. Some in the thread mentioned “let me check my documents of the ones I’ve gotten in to” — so even if this thread disappears, there are others out there, and private files that people keep.

Photo Credit: ~Brenda-Starr~ via cc

Marketing with Marketog!

I am SO EXCITED to share that registration is open once again for Jamie Swanson’s Marketog course!

I signed up for the first round of this course and so far I have LOVED it! It is a six week course, but the information included in it is so extensive, I’ve taken longer than six weeks to go through it all. Good thing that you have lifetime access to all the materials once you join the course, in addition to the Facebook group, so you can complete it at your own pace!

The material is top-notch, and the months and months that Jamie put in to building this really shows!

Have you ever wished that someone would walk you through improving your marketing to grow your business, step by step? That is what this course is all about. It is full of videos and actionable worksheets that goes deep into the strategy, the all-encompassing plan you need for landing more of your ideal clients. Each week there are at least five activities to do, all built one upon the one before, to make your business grow!

Registration is only open from December 30, 2013 – January 5, 2014 – so if you want in, sign up NOW! Visit the Marketog course page for all the details!

Self-Employed? You Can Be Fired for What You Say Publicly



Self-Employed? You can still be fired for what you say onlineMy first thought was, “I’m so glad I work for myself so I can say what I want.” I came home from holiday shopping and while my husband unwound with some X-Box time, I went to check in on Facebook and saw the first trickle of the response to the article GQ magazine.

That was my initial reaction as I read the Duck Dynasty story as it first broke late on Wednesday night. Thinking that just because you’re self-employed means you can’t be fired brings about a false sense of security.

You can still be fired – by your clients.

By the next morning, news was out that Phil was put on indefinite hiatus by A&E, and half the internet seemed to be in a uproar about his rights under Freedom of Speech, and the other half was either ambivalent or felt that A&E made the right move.

Personally? I’ve never seen the show, so I couldn’t speak on the issue. I could speak about the Freedom of Speech issue though — because Freedom of Speech does NOT mean freedom from consequence. It simply means that the government or the police can not come after you for what you said. If your employer or your client isn’t happy with it, they can choose not to work with you.

Then it happened again.

Just over 24 hours later, Justine Sacco made a rather crass post to Twitter, and then boarded a plane to Africa. The same continent she just slammed in her tweet. Probably smart to get out of London, after saying things about them too. By the time she landed after her wi-fi free flight 13 hours later, she too had been fired from her job. She was a trending hashtag on Twitter. People were sending her death threats.

I didn’t see anyone defending her right to Freedom of Speech though. Probably because what she said was pretty horrific.

It was fascinating to watch these two events go down in such a short span of time. The lesson I was reminded of is that the internet never forgets. You can delete a tweet, but you can’t control who has seen it or copied it already. What you say can and will live on. While many of us are self-employed, we are still employed – BY OUR CLIENTS.

“Type up a Facebook status update — and it can be radioactive forever. Don’t be fooled by your keyboard: the Internet doesn’t have a delete button. Screenshots can make your words have a half life of eternity. Social media is exactly that — social. It impacts you socially for as long as you are a member of society.

One tweet can be the last tick in the bomb that detonates your life.” — from Dear Kids: What You Need to Know About Duck Dynasty, Justine Sacco, and Christmas, the post that inspired me to write this post.

We might not make a late night joke on Twitter or Facebook and then find ourselves fired the next day. What you say might be seen by a potential client on social media, or a friend of a potential client. Or a friend of a friend. Doesn’t matter. It is seen by others, and it can hurt you. It can keep you from getting more clients.

Private is not private when it comes to the Internet.

Do not fall in to the trap of thinking that your Twitter stream or Facebook wall is set to private and only your closest friends see it. Or that you’re posting it in a private Facebook group, so your clients will never know. People can easily capture an image of the screen or copy/paste the text. You do not know who is in that group, who may be watching.

I see it constantly. People complaining about clients in the groups that I’m in. STOP. Your peers are judging you for it, and one of them could choose to leak it. I’ve had people who live in other cities ask me for recommendations of people to work with. If you’re constantly complaining in a private group about how much you hate your clients, how crazy they are, how they frustrate you, do you think I will recommend you? The answer to that is a loud & resounding NO.

You never know who sees what you are saying online.

Back when I was in high school, I passed notes in class with my friends. I wrote something in a note once about a friend who I was angry with at the time, and another friend showed it to her, causing quite a shitstorm for me. My mom said that if I didn’t want something to get back to someone, never write it down.

The same still applies these days. Only now? The internet has a permanent quality that note passing in 10th grade never had. Something can come back to haunt you, even years later. Think about what you write down online. What you say to other people. You are your brand at ALL times, and what you say matters to your clients, who are ultimately your employers. With social media what you say can spiral far out of your control. Just ask Justine Sacco about that this morning.

Justine Sacco Twitter Stream
Screen cap from my iPhone last night, before Justine Sacco’s Twitter Account was deleted.