All posts tagged Boudoir

Have Your Online Galleries Been Hacked?

Are Your Boudoir Clients Photographs Safe and Secure Online?

Today in one of the boudoir forums that I frequent, a member posted about her discovery that there was a forum for voyeurs who were hacking their way in to boudoir galleries online. They weren’t stopping at boudoir galleries though — they were logging in to family galleries, and I’m sure other session galleries.

These people weren’t using the usual hacking methods though, at least not at first. They were actually just finding the path to the gallery and from there guessing the password.

Oh, and they started the thread in 2012. [Corrected. This post originally said November, 2013.]

It just took us until 2014 to find out about it.

More recent posts on the thread talked about using extortion to get money from the women in the galleries that they had found. Yes, threatening to post photos to Facebook unless they were paid off.

Then there were the threads about how they had figured out that they could potentially “scrape” all of the galleries from Red Cart, gaining EVERY PHOTO POSTED there. Boudoir or not. Boudoir was what they were after though.

Voyeur Forum RedCart Scraping of Boudoir Photographs

They weren’t just going after online proofing sites (SmugMug, ZenFolio, and RedCart were all mentioned in their thread), but they were also going after online album proofing sites.

Voyeur Forum Suggests Hacking Album Company Site

Now you might think that your online gallery software or your album proofing company should be doing something to protect you from this hacking. The thing is, if you read their Terms of Service? Every single one of them has an “out” written in to their contract. It is your responsibility to make sure your passwords are secure. Beyond that, if someone gets in to them? Not their fault. (*I could argue that RedCart has a bigger issue on their hands if they were figuring out how to pull down every image on their site. Right now isn’t the time for arguing. Right now is the time to FIX THIS situation.*)

Here is SmugMug’s Terms of Service and here is ZenFolio’s Terms of Use and Privacy Policy.

SmugMug's Very Standard Security Information

SmugMug’s Terms are pretty much the industry standard for ANY hosting service. Their responsibility is limited. It is your responsibility to keep your client’s photos safe.

UPDATE: If you are a Zenfolio user, a photographer started a feature suggestion that people can only guess a password 3 times before being locked out of a gallery. If any of you would vote for it, please go here.

The forum has now moved the post to their “Member’s Only” section, so we can’t see what they have added to it at this point. At the time that the post was moved, the thread was 121 pages long.

Thing is, this may be the one forum that we know about, but I promise you – it is NOT the only forum out there with information like this.

Protecting Your Clients

Ok, now that we are all sufficiently panicked about this, let’s talk about what we can DO about it.

1. Never post your client’s images online, ANYWHERE. Realistically, that is the only safe & secure method to use. I went that route a few years ago when we caught someone trying to hack (truly hack, not just guess at passwords) their way in to my online gallery software that I hosted on my own server. I don’t post my boudoir client’s images online. We meet in person to view the images. (I’ve talked before about my whole In Person Viewing process in these posts: overcoming your fear of in person sales sessions, boudoir photography workflow – preparing for in person sales and the magic of in person sales sessions.)

I do however use an online album proofing company and an online slideshow option. I am considering discontinuing both of those services after today.

But I HAVE to do Online Proofing! (Insert reason here.)

Ok, so option #1 isn’t an option for you, for whatever reason. You simply must post your photos online for them to see them.

2. Use a SECURE password. Using your client’s name? Not a secure password. Using “boudoir”? Not a secure password. Using “sexy”? Not a secure password. These and many more obviously easy to guess passwords were being passed around in this forum. An entire boudoir photographer’s gallery was linked, and every single session used the first name as the password. Yes, they worked. No, that is NOT secure. WORDS, no matter how unique they are to your client, are not secure.

(Want to learn more than you ever wanted to know about password security? Wired Magazine – Secure Passwords Keep You Safer and the scary story of how Mat Honan’s entire world was hacked, Wired Magazine – Kill the Password: Why a String of Characters Can’t Protect Us Anymore.)

3. Have a clause in your contract limiting your liability if your galleries are accessed. Do you want your clients coming after you if someone got in to your galleries and took their photos and posted them all over Facebook? No? Then you need to talk with your lawyer to make sure you are protected in case this happens to you. (Yes, just like SmugMug, ZenFolio, and RedCart have in their Terms of Use.) Make sure that your clients understand that no password is EVER completely safe.

Make sure you understand that too. No password is ever completely safe. It is not a matter of if you will be hacked, it is a matter of when. You need to put photos online with that understanding.

From now on, if I ever have to put a gallery online for any reason, I will require my clients to sign a special release for the gallery going online. This is something you should consider not just for boudoir sessions, but for any client. Make sure your client is aware that the photographs could be compromised. For example, some parents do not want their children’s photos viewed by anyone.

4. Be obscure about where your galleries are located at. “One of the best security measures in the online world is “obscurity” otherwise known as “security through obscurity”.

Basically if you have online galleries that you want protected, don’t add them to your main gallery list or your site’s navigation. At Fotomerchant we call them “ghost” pages and only people you give the unique URL to will even know the page exists.

Also, make sure the pages are NOT listed in your sitmap.xml and that your robots.txt does not allow full site crawling and then Google will never know they exist either… Unless you post a link to the gallery somewhere public!

Obscurity is one of the only measures that requires human knowledge in order to crack it” — Derek Clapham, co-founder of FotoMerchant, in response to a private forum post I made about this situation this afternoon.

However, private, hidden, unsearchable galleries were on that list that we discovered. Just making it obscure wasn’t enough for them when they were determined. In some cases, “they were able to find these hidden pages due to the nature of their URL design. It was predictable and based on a number sequence”, said Derek.

5. Pull expired galleries offline. When possible, use FTP to make sure the images are completely removed. If you let the gallery expire and it is still online, the photographs are still stored on a server somewhere. Servers can be hacked, your files can be accessed. Remove them from the server completely when you are done with the gallery or album proof.

Once something goes online, it is never completely safe

Even if you do all of the things listed above, are your client’s photos still secure?

No.

No, they are not.

Hidden, not listed, not linked, unsearchable galleries? ALL were in that post discovered today.

Once these people found the easy to target galleries, they pushed on to find the harder to discover ones. They figured out how to move up and down the gallery structure of the software. How to change the string text to get to a gallery. They kept looking. For almost two years they have been looking. Some in the thread mentioned “let me check my documents of the ones I’ve gotten in to” — so even if this thread disappears, there are others out there, and private files that people keep.

Photo Credit: ~Brenda-Starr~ via cc

Boudoir Posing Guides by Honeybourne Intimates

Boudoir Posing GuidesI just discovered the best boudoir posing guide I’ve EVER seen. I’m visiting a photographer friend of mine, Tracy Somerville, while in Canada on my Avenger of Sexiness World Tour. As we were setting up my guest bed spot in the basement of her house, I looked over and saw on a chair the Boudoir Posing Guide by Honeybourne Intimates that Tracy had printed out.

Delivered as a digital download, which is perfect for loading up on an iPad, this thing is beautiful! I was mesmerized as I was looking through it. Not just photos of poses, but tips for positioning and making the shot work as well. Easy to follow instructions, there were a few poses in there that I’ve tried to do a few times and never quite got the shot I wanted; as I read the tips on the page, I knew exactly how to do it next time!

I’ve seen a lot of posing guides for boudoir photographers over the years. I’m so surprised that I’ve never heard of it before. It would be great for those moments when you’re stuck thinking of a pose to try, feeling like you’re out of ideas. Or when you just need a photo to show a client so that they understand what you want them to do, which I’ve found really helpful at times to get the right position for the photograph.

Can you tell I’m just a little bit excited?!? Matter of fact, I stopped flipping through it long enough to write this blog post. I am definitely ordering a copy of Volume I and Volume II for myself!

Have you tried these posing guides? Or is there another posing guide out there that you LOVE that you think everyone should know about? Share your feedback in the comments – I would love to hear about them!

Disclaimer: The links above are affiliate links. If you buy a copy, I’ll add to my fund to keep the Avenger of Sexiness Tour on the road longer. Yay!

The Myth of “My Photography Pricing Has to Be Low…”

The Myth of Your Prices Have to Be Low“Everyone else in my area is priced so low, so I have to be priced low too.”

I see this time and time again, people lamenting about the other photographers in their town who offer $50 portrait sessions with all of the digital files included, and how on EARTH are they ever going to compete with that if they set their photography pricing any higher?!?

Easily.

You are not those photographers. Their business is not your business. You don’t know what else they have going on that allows them to charge such a low rate. They may not be making a profit at all. But you? You get to design the business YOU want to create! (Remember?)

Just because everyone in your area has low rates, doesn’t mean you have to. That is probably just the perception you have after seeing several people with low rates. Those photographers normally either end up building volume studio businesses or not surviving in business long at all. Some of them are hobbyists making a bit on the side with a full time job.

Personally? I don’t want to take any of those routes. I’ve never wanted a volume studio. It makes me exhausted thinking of doing 100 sessions a month. Someone told me at Imaging this year that they do 25 sessions a week and I wanted to cry. Not my thing at all. I also don’t want to have to take up a full time job so that I can afford to keep doing photography. Perfectly valid choice if you want to do it. I’d rather make a profit doing what I love, and only that.

There are likely other people in your area who are charging a lot more. Or the people in your area could be driving to other cities to hire more expensive photographers.

If everyone in your area is charging $50 for a session, you’ve got a great advantage if you charge more, because PRICE is perceived as being of higher value!

Target carries some nice, large purses. I’ve owned several of them over the years. Normally priced at $30 – $40, they do the job. They are large and roomy, tote my things around, and fall apart by the end of the season. I don’t expect much out of them because they were inexpensive. If they last two months? Well, I probably abused the heck out of them and got my money’s worth.

Kate Spade carries lovely, large purses. Leather, durable, handles that are comfortable for me to carry. Easily in the $300 – $400 range, they not only do a job, but they say something about me when I carry them. As a brand, they make a statement. I probably like things that are a little quirky, bright, colorful. I like classic pieces that are timeless and versatile and I can use year after year. Since they are leather, I can easily clean them. As long as I condition them, they will last.

There is room for both of these purses in my closet.

What if Kate Spade told herself, “I can never possibly charge $400 for a purse! I mean, Target sells perfectly good bags for $40?!”

Sounds crazy, doesn’t it?

You get to set the prices for your brand. You should know exactly what you need to make to turn a profit and to not burn yourself out. To build a business that allows you to be happy in what you are doing. This isn’t just a job, this is your LIFE. Make it what you want it to be.

Because I promise you, there are people in your area who are spending money on luxury items. Look at the large TV on their wall, the numerous game systems that they have bought for their kids (or themselves), the iPhone they have in their pocket, possibly with an iPad or other tablet device in their bag not 3 feet away, the designer clothes they are wearing, the brand of purse on their arm, and the luxury vehicle that they drive.

They will be glad that someone is out there that is more expensive, because they want nice things, and if it cost more, that is yet another differentiator that tells them that YOU are valuable to them.

What you don’t get to do is tell me how you simply can’t charge rates that allow you to be profitable because no one in your area will pay them. I don’t believe you.

* Of course, all of this requires you to take some decent photographs, and to do the leg work to build a brand. It isn’t impossible. It isn’t rocket science even. But it does take a bit of determination. I believe in you. You can do it! I’ll be talking more about resources that can help over the coming weeks — including Fight Club — the July 2013 Fight Club in Denver has ONE SPOT left, and I’ll be there as one of the coaches, helping the Fighters along their journey! Sign up for that last spot!