My Girlfriend and I recently won a photo shoot at a silent auction for a local charity. A professional photographer came to our house, snapped the pictures of us and the dogs and then posted them on his web site for us to preview before we came into the office to make our final selections and order prints. Standard stuff.

The photos looked great on the web site and the web preview program, PickPic version 3, used JavaScript to place a dynamic watermark over the photo when the mouse was over it to prevent people from easily saving the file to their computer and/or printing it. It also had a rather common feature of disabling right-mouse click to view source code as well as allowing users to zoom in on a section of the photos (like a magnifying glass) to see the details of a small section of the picture.

Sample Photo (obtained legitimately):

Being your garden variety propeller head, I immediately saw a few problems with this that most web developers know about but most photographers may not.

1. Relying on JavaScript to put a watermark over the picture or otherwise prevent the “save image as” relies on the user having Javascript running in their web browser. Java Script can easily be turned off on any browser.
2. Even with JavaScript running, the photo image is sent to the browser and stored in cache (local hard drive) and any modern browser will allow the user to view a list of images that are being displayed on the site.
3. The Zoom feature actually triggers the download of a medium resolution image to the browser and relies on the JavaScript program (running in the browser) to only display a section of it to the viewer. Once the user zooms in on an image, the higher resolution version is stored in the browser cache and can easily be displayed as well.

Yikes!!!

Nothing I state here is something that hasn’t been stated a hundred times on various security sites or bulletins for web developers as best practices and these issues deal with many other image programs that work the same way. Having said that, this is a prime example of how normal, non-technical people are using a program, like PickPic version 3, not knowing that they are giving easy access to their images to their clients and possibly cannibalizing their revenue from prints.

Here is an example of such a system on the Land’s End web site (and no I am not getting any affiliate benefit from the link so don’t buy anything ) which works in a very similar manner, if you want to see this dynamic in action. Even though you only see part of the image that the JavaScript programmers dictate, the full image is stored in your cache and can be easily retrieved by the following options.

Most non-technical people of course will not realize this but by implementing security through obscurity (a common phrase in computer security circles) you are relying on the users ignorance to protect your intellectual property rather than a tried and true watermark of the image which is the only way to really protect your assets. As our web browsers have become an everyday tool for most Internet users, it is not safe to assume that your clients will not have the basic knowledge to check the image cache or work around JavaScript restrictions. What is even more likely is that your average Internet user will know geek, like myself, who they can ask to walk them through the process.

As any professional photographer knows, you can easily setup a work-flow (in Photoshop, Aperture, Gimp, whatever) to place your watermark on the actual image and then post them in the PickPic program rather than relying on the dynamic watermark and trust the users web browser to enforce the required protections, which of course can be easily circumvented.

PickPic 3 has been superseded by PickPic Pro which addresses the issues by using Adobe Flash to display the image and manage the download of the higher resolution image so it does not get stored in browser cache. A large number of version 3 implementation are still out there so I can only guess how many artists have unknowingly had their potential income for prints curtailed by semi-web savvy users who consider the medium resolution images delivered from PickPic “good enough” to print decent looking 8×10’s.

OK – I had my say on the topic as it applies to most users and you can now make an informed decision on how and when to use the PickPic program.

Now a final word on a potential bug in the program that may allow programmers to download the high resolution of your image assets although I am still researching how this might be done. I started digging into the JavaScript code itself and noticed the following file which is calling a script called “imageCreate.php” and passing it parameters to generate an image on the fly.

imageSrc = "http://www.photographers-web-site.net/pickpic/scripts/previewing/imageCreate.php?&imageid=6109&color=-1&border=-1&crop=0%2C0%2C1%2C1&image=100302_SOMENAME%2F%2F100302_001_SOMENAME.jpg&cache=local";


If one were to reverse engineer the code (or grab a copy of the source) it may be possible to pass different parameters to the script to get an even higher resolution image. I started to futz with this but got in trouble with the girl friend for spending too much time so am leaving it as an exercise to the user to determine if this vulnerability exists in the PickPic program.

Note – that I am in no way promoting the theft of intellectual property from photographers. Instead, I strongly believe that the users of any software product should be fully aware about the risks and benefits of the tools they are using so that they can make informed decisions.

-John

I was getting the wordpress error on some of my sites running wp ver. 2.9.2 when trying to edit theme files: “Sorry, that file cannot be edited.” Of course, all the searches I managed to find talked about other people having the same problem but not the fix.

It is totally intermittent and related to an undefined variable and can vary depending on which plug-ins you have loaded. Interesting but not very helpful.

I was able to resolve it by updating the single file ./wp-admin/includes/misc.php with the change outlined in the Worpress developers bug tacking system, ID # 12831, only affecting 2.9.x? It will probably be fixed in the next release but for now you have to fix it yourself. Luckily it is pretty easy.

If that is as much gobbledygook to you as it is to most people, then you can just copy the attached file into that directory (after renaming from *.txt to *.php) and overwrite that existing file, misc.php.

file misc.php (must be renamed to .php)

The only changes to the file are those outlined in the Wordpress trac system for this bug. As such, I can take no responsibility for your use of this fix, but then… it worked great for me. Please comment and share your experience wit this bug (and the fix) with other viewers of this post.

-John