Security update

You are wonderful. We’ve been experiencing this day by day for almost ten years now. Whether you’re getting in touch with a question, or a suggestion on how to improve mite: we experience savvy and knowledge, sympathy and kindness. And, most notably, helpfulness. For this, we thank all of you.

Today, we’d like to thank one person especially: Marcel Eichner. He informed us about a security vulnerability last Thursday. Thanks to his detailed description, we could immediately reproduce it. We deployed a security fix three hours later. Thanks for your support, Marcel!

One, we do not have indication for an exploit of the vulnerability. Two, personal data could not have been read or modified. Nevertheless, as a matter of principle we want to inform you in detail.

The problem had slipped in to our open data interface, the mite.api. Every project in mite has a unique identification number (ID), and is optionally assigned to a customer. Over the API, time entries can be created for a given project. The project is referenced by its ID. mite checks if a project with this ID exists, and whether it belongs to your own account. If the check fails, the project ID in the server response is set back to “null”.

To improve performance, the server response not only contains the project ID, but also, if existent, the ID, name, and hourly rate of the project’s customer. The vulnerability was hiding in the check outlined above, within its chronological order. If the project ID belonged to an account other than you own, the project ID was correctly nulled as described, but the server response contained, if existent, the described data of its customer.

The server response did not disclose to which mite.account the customer belonged. Thus, one could have found out that any company that uses mite works for a customer such as “Acme Inc.”, but not, which company. And fortunately, it is not highly sensible information that any undefined team on the world works for a customer such as “Acme Inc.”.

The vulnerability thus wasn’t a highly critical one, and it is now closed. But it was able to slip in, even though we take security very seriously. That’s why we are so thankful to Marcel. And that’s why we’d like to ask all of you to please get in touch with us immediately if you should become aware of any other weak spots in the future.

E-mail works best in such cases. Please find our PGP key as well as all other communication channels right here. Please describe as detailed as possible what you did, how mite reacted, and how mite should have reacted. Code snippets help a lot, also screenshots, information on the technology you use, or anything else that might be important to help us reproduce the problem – and fix it as fast as possible. Please support us in keeping mite healthy and bug-free. For all of you.

Julia in Tech talk

Scheduled maintenance on May 31st

Our hoster will perform maintenance work in our main data center during the night from Monday to Tuesday, May 31st, between 0:00 and 6:00 AM CEST. They will update the core routers. During the given timeframe, internet connection might be disrupted for up to two hours. Unfortunately, mite won’t be available then.

We wish our hoster SysEleven a smooth course of these necessary works. And we ask for your understanding. Hopefully, these updates won’t interfere with your working hours.

Update: Maintenance has been completed successfully at 4:18 AM. mite was continuously available.

Julia in Tech talk

Updated backend engine

Since yesterday night, mite is running on an updated version of its underlying application framework. Furthermore, we deployed some small fixes, e.g. performance improvements for users with a very high number of active customers and projects.

Deploying such updates is a routine job as a mite.caretaker. We document yesterday’s update here today because it temporarily introduced a bug. Fortunately, several users let us know immediately.

We have fixed the error as well as its temporary effects in the meantime. But we don’t want to sweep such problems under the rug, but instead inform you in detail about what went wrong and how we dealt with it. You should be able to count on that.

So here we go: We deployed the update yesterday evening at 19:42 CEST. If you locked a time entry thereafter, or edited it via bulk edit, or started or stopped the timer on it, its revenue was set to zero, so its correct hourly rate didn’t take effect. We fixed this bug with another update tonight at 1:58 CEST. Then, we fixed the revenue of all time entries that had been edited since 19:42 and had been affected by the bug. We finished these fixes tonight at 4:08 CEST. So the error is fixed, and all data is correct again. But if you edited time entries between yesterday evening, 19:42 CEST, and tonight, 4:08 CEST, and exported them right away, we’d like to advise you to nevertheless double-check their exported hourly rates and revenue.

An undocumented change in mite’s underlying application framework caused the bug. Of course, we run automated as well as manual tests before each and every update. But unfortunately, we did not catch this one. Thus, we’re already extending our testing procedures.

We are so sorry. And we don’t treat this lightly, you can be sure about that.

Please get in touch with as much details as possible via e-mail if you happen to stumble upon any other problem, so we can get rid of it it right away. We won’t back down from our ambition to keep mite bug free!

Julia in Tech talk

Scheduled maintenance

Tonight, starting at 8:15 PM CET (what time is that for me?) until approximately 9:15 PM, we’ll deploy some important updates to our servers. Within this time frame, mite won’t be available for about 10 minutes. We ask for your understanding.

Update: Maintenance took us a little longer than expected, but went just fine. mite was unavailable for four minutes only. Thanks for having kept your fingers crossed!

Julia in Tech talk

Remodeled Excel export

At the tab »Reports => Time entries« and optionally on shared reports, you can export time entries to Excel, and at »Reports => Projects«, projects. We remodeled these export features. Until now, mite generated Excel-specific XML. Now, mite generates XSLX.

Techie lingo aside, this update should ensure one thing: a stable, smooth export of your data. In current versions of Excel as well as, hopefully, in future ones.

Please tell us if the new export format does not work smoothly for you, and specify the exact version you’re running. We tested the new export on Windows on Excel 2016 and 2013, on Mac OS on Excel 2016, 2013, 2011, Numbers 3.6, OpenOffice 4, and LibreOffice 5, as well as on Excel Online.

Julia in Tech talk

Updated documentation of the mite.api

Developers, hear hear: we overhauled the documentation of our open data interface, the mite.api.

Besides the known XML format, all requests are now finally depicted in JSON, too. Furthermore, we described common mistakes, HTTP status codes, and some previously undocumented features such as sorting time entries, filter shortcuts, and HTTP caching.

Cheers to a more helpful documentation, and happy coding! Please be so kind and get in touch if you stumble upon any inconsistencies.

Julia in Tech talk

Today’s service interruption

Since 14:05 CEST, mite is not available due to a problem in our primary data center. We’re terribly sorry, please, excuse us! We’ll do everything to get mite up and running again as soon as possible. Please visit Twitter to get the newest information on this issue, we’ll update continuously.

Update: Since 14:51 CEST, mite is available and at your service again. Of course, your data was safe anytime. You can always rely on that.

The interruption occured because of a network/DNS problem in our main data center. We’ll discuss it in-detail with our hoster soon, and try to come up with improvements. Again: we are so sorry for this downtime!

Update: The network problems were caused by a line fault in the greater Berlin area which resulted in large parts of the Internet at the internet exchange node BCIX not being reachable. Thus, our hoster has diverted traffic to another node. Since then, mite has been available and stable again.

Julia in Tech talk

Today’s service interruption

Between 8:16 and 8:39 CEST this Friday morning, mite was unavailable for all users. We are so sorry for this interruption!

A kernel error in our main database server caused the downtime. All monitoring systems warned us right away. Two minutes later, we were investigating. Three minutes later, our hoster was hands on, and restarted the server in question. This fixed the root of the problem, but mite needed some more minutes to get back on track completely. Tracking timers were not interrupted. And of course, no data was damaged – it was not in danger at any time.

Again: we are very sorry. Nevertheless, we’d like to take this interruption as an opportunity to thank our hoster SysEleven. Since July 2012, a few hiccups for less than five minutes aside, mite was running steadily and reliably. This was the first big downtime in almost three years. That’s a great service level. Thanks for your support, SysEleven.

Julia in Tech talk

Updated background engines

Since last night, mite is running on a new version of its underlying application framework. Starting at 1am (CEST), we took mite offline for about 15 minutes to deploy the update and perform some database migrations.

If you cannot notice anything working differently, we put our thumbs up. Yes, the update speeds up mite a little bit and will help us maintaining it, but it did not change anything on a feature level. Nevertheless, if you happen to stumble upon a bug, please tell us so we can fix it right away. Send us a detailed e-mail which includes information on your browser version. Thanks!

Julia in Tech talk

Security update: Heartbleed

The Heartbleed bug is a vulnerability in OpenSSL that was disclosed on Monday night, April 7th (CEST). OpenSSL is a very popular cryptographic software library. Approximately two thirds of all servers use it to encypt Internet traffic. The Heartbleed weakness could have been exploited by attackers to eavesdrop on communications, steal data, and compromise secret keys of SSL certificates.

Here at mite, we used and are using OpenSSL, too. Today, we want to tell you in detail how we reacted to Heartbleed, when, and which actions we took to secure your data. This information comes a little late. We are sorry about that. On the technical side, we were so much faster! You could rely on us, and you can rely on us in the future, too.

  • We learned about Heartbleed on Tuesday morning, 9:20am.
  • As soon as a security patch was available for our systems, we started to install them. At 12:02am, all of our servers were successfully patched.
  • As a measure of precaution, we requested a new SSL certificate with new keys. We rebooted all servers. Since 12:24am, they use the new certificate. As the certificate was re-issued by DigiCert Inc, you won’t see this new validation date, don’t let this fool you.
  • We changed all of our passwords on all systems.
  • Tonight, we will invalidate all cookies. You will have to log-in again.

Better safe than sorry, so please change your passwords for mite, too. Click on your user name in the upper right-hand side to do that.

OpenSSL is widespread, and Heartbleed thus affected lots of services. Please think about changing your password for other services, too, especially webmail services. You can check whether or not a service is patched thanks to services such as this one. If so, check if the certificate is a new one, or ask if it was re-issued. Then, change your password.

Thanks for your attention. Now back to work!

Julia in Tech talk