The premise is that you create a “tumblelog,” which Jason Kottke describes as a “quick and dirty stream of consciousness.”  Tumblr allows the user to achieve this by posting long-form, quotations, links, and a variety of media.

This type of service is generally more fun/useful if one’s friends are involved.  Thus, the likely sequence of events for new users is:

1. Find Tumblr.com via link or Google.
2. Follow “Sign Up” or “Log In” links on Tumblr home page.
3. Submit/create an ID and password to access your dashboard.
4. Find and invite friends by allowing Tumblr to “Look up your contacts”–this imports contacts from your mail service of choice (Google, Yahoo!, Hotmail, etc.), which requires that you provide Tumblr with the username and password for said service[1].

There’s just one problem: At no point did it occur to the folks at Tumblr that they might want to encrypt form submissions.  Both the Sign Up and Log In links on the home page send the user to an unencrypted page, and post information in the clear [login.pcap][2].

Assuming that they notice and care, end-users can log in via an encrypted form, but this requires that they know to edit the URL by hand prior to entering data [video].  It is recommended that Tumblr subscribers bookmark the following URL if they wish to log in: https://www.tumblr.com/login.

And it gets better/worse . . .

Once the user logs in and visits the Goodies page, Tumblr offers to locate friends by importing contacts from a personal mail service.  Tumblr accepts the (arguably more sensitive) username and password for these services, and transmits these in the clear as well [import_contacts.pcap].

Oddly enough, an end-user attempting to submit this information via an encrypted form will be thwarted by a redirect, sending them back to the unencrypted page prior to data entry [video].

One would think that an observant end-user would catch one or both of these gaping security holes, but my guess is that the overwhelming majority of their six million or so users haven’t noticed or don’t care.  Then again, one would also think that that at least one person on the Tumblr engineering team would consider safeguarding user data in transit.  Alas, collective fail.

UPDATE01: It’s bad enough that they knowingly implemented the service in this manner, but Tumblr was made aware of this by an end-user Mar 2010.  Aug 2010: No change.

UPDATE02: Another concerned user reported this to Tumblr in Jan 2010.

UPDATE03: A brief survey of popular social sites indicates that Tumblr and Digg appear to be the only two that knowingly take your Google (Gmail) account credentials and pass them in the clear.

———————-

[1] Many web sites offer this type of temporary contact import, but do so safely.  Lesson: “Trust but verify.”

[2] Many HTML forms on unencrypted pages POST to encrypted URLs, protecting the data in transit.  That is not the case here, thus the packet captures for validation.

The way out in such a case is remarkably simple:

1. Always carry at least one spare memory card when taking photographs in public.
2. If you believe that compliance with a request to delete might be your only option, then by all means, delete away. Format the card in-camera if you must.
3. Do NOT take another photograph. Turn the camera off, and walk away.
4. Before you turn the camera on again–and certainly before you even think about taking another photograph–remove that memory card and drop in a spare.
5. Go home, and use a free and capable image recovery program to extract the “deleted” images from the original media.
6. Post them on-line, have them printed on t-shirts, or hand them out as stickers on the same street corner during the next big event.

[1] The operative word here is “public.” If you are taking photographs in an area where photography is expressly prohibited, you may be breaking the law. And failure to comply fully with the authorities might just buy you a night (or more) in jail. Don’t be a dumbass.

“Hack proof servers”

See? Hack-proof. Nothing to worry about . . .

Whether this denial was the result of a procedural failing on Halvar’s part, part of a new policy requiring that we fear Germans, or something else entirely remains to be seen.

UPDATE1: Turns out that it was a procedural error of sorts. Turns out that a company must consist of more than one person. Or something like that.

UPDATE2: Wired’s Threat Level blog is covering this as well.

This is Officer Malara, Arlington County Police Department, working a private detail commissioned by the occupants of 3701 N. Fairfax Dr., Arlington, VA.

Officer Malara stopped to take information from a friend and I on the grounds that he observed us taking photographs in a “high security area.” And by “taking photographs in a ‘high security area’” I mean being in possession of a camera while walking down the street opposite several blocks of non-descript office buildings, less than a block from the Virginia Square-GMU Metro station.

Unfortunately, that we weren’t breaking any law, nor were we disobeying any posted warning became a moot point once we were asked for identification (unlike public photography, failure to comply with a request for identification by a police officer is grounds for detention). So, we provided the information that was requested of us, were asked to delete any photographs that we had taken of the facility at 3701 (the photo above was the first that I’d taken), and off we went.

Could we have plead our case on the scene? Sure. Would it have done any good? Doubtful. Once you’ve been stopped and asked for identification, your options are more or less limited to compliance or a free ride to the county jail. Being harassed for photography in public sucks, but it sucks a lot less than being booked. More importantly, I had plans to meet family and friends for lunch at the Old Brogue, and wasn’t about to cancel on account of this nonsense.

So, what to do? I chose to file a complaint (PDF) with the Arlington County Police Internal Affairs Section (IAS). The following were submitted to IAS on 11 May 07:

• Incident Report (PDF)
• Internal Affairs Complaint (PDF)

A summary of my requests:

• A bunch of administrative information (I.e., chain of command, badge numbers, etc.).
• A copy of any related report filed within the Arlington County Police Department containing my name or identifying information.
• A copy of the policy or code section granting officers the authority to question and/or request information from individuals engaged in photography.
• A comprehensive list of locations within Arlington County that 1) may not be photographed and 2) display no indicators to this effect.

On 11 Jun 07, following several discussions with my investigator, I received the following in response:

• Chief’s Response (PDF)
• IAS Response (PDF)

A summary of the outcome:

• Aside from the flurry of paperwork generated by my complaint, I have no “record” in Arlington County.
• My information was provided to the security official at this installation.
• I now have the name and phone number of said official, who will soon be in possession of his very own FOIA request.
• These types of policies are, in theory, under review per the chief’s directive.
• I now have a copy of the Arlington County “Terrorism Intelligence and Prevention” policy, which grants police the right to stop persons in possession of dangerous things like cameras and binoculars.
• As expected, there exists no comprehensive list of locations within Arlington County that 1) may not be photographed and 2) display no indicators to this effect.

I lack the motivation to address the points in these responses one-by-one. But suffice it to say that, while I agree with the intent of this policy, I believe the implementation to be flawed. The intent, of course, is to protect . . . something. The implementation, on the other hand, does nothing more than perpetuate fear, and impose a hardship on law-abiding citizens.

These policies, containing vague terminology and lists of items that might at some point be used by someone to do something bad, exist so that the police can find just cause to stop people who legitimately give them the creeps. And to the extent that one of these policies might one day prevent someone from doing something really bad, I’m fine with them. But, as the chief points out in his response, meeting one of the criteria on such a list does not a suspicious person make. Officers are urged to “exercise appropriate discretion.” And in this case, I find it very hard to believe that exercise of appropriate discretion would yield that two young men, casually walking down a busy public street taking photographs, who happen to be opposite some unmarked but supposedly high security facility, qualify as suspicious.

Further, setting aside the issue of officer discretion, the most disturbing aspect of this incident is the simple fact that we had no way of knowing that we were acting in a manner that might have been so much as considered suspicious. If the subject in question is devoid of any type of external marking or warning sign, one should have no reason to suspect that it cannot be photographed (or approached while in possession of photographic equipment). And it follows that one should certainly have no reason to suspect that photographing such a subject might land one’s name on a list, or in a database. Reasonable, law-abiding people tend to avoid these types of things when it can be helped. Thus, my request for a list of locations within Arlington County that are unmarked, but at which photography is either prohibited or discouraged according to some (public or private) policy. Of course, such a list does not exist. Catch-22.

The absurdity of this type of situation is clear: We’re being penalized for violating poorly documented, questionably legal (an argument that I’m certainly unqualified to make) and arbitrarily enforced policies. We’re not being told what is expected of us. And to the extent that we are able, we need to take a stand. We need to know our rights, document the fact that we’ve been wronged, and work for change. And if we fail to enact change, the very least that we can do is make it such a pain in the ass to harass photographers that those who would otherwise jump at the chance will think twice, if for no other reason than to avoid a mountain of paperwork and an internal affairs investigation.

UPDATE1: For those who have expressed interest, I’ve compiled of list of sites where further discussion on this topic can be found. If I’m missing one (or more), please submit the link in the comments over there, as opposed to here.

UPDATE2: See my comment below regarding guidelines for discussion–they are few, and should not be unexpected. No racial slurs. No name-calling. No wishing other participants harm. And please don’t re-submit antagonizing comments because you think you’re being censored–I’m approving anything that doesn’t meet the criteria that I’ve just listed, as quickly as I’m able. Some type of site-wide, formal discussion policy to come . . .

UPDATE3: There’s some dispute in the comments as to the state of “stop and identify” laws in Virginia and Arlington County. It’s too much to cover in an update, so I’ve written more on the subject here.