#Qaiku

could you elaborate how it's broken? It seems to work quite okay at least for me..

for me (on Firefox) it seems to work correctly...

@eholmila: Sure. It looked like it would be a global problem. Look at the screenshot here: http://screencast.com/t/HDHl9m7LQj . As you see, it is a database dump along with sourcecode.

Also, I found my password in clear text (when I scrolled down) and three other users passwords too (@sakari, @simsion and @bergie). That kind of worries me.

It seems that it randomly shows users passwords for me (under the People-tab) because of that I now found another users password (@keskju). I feel shocked. I'm not a hacker or good programmer but this feels wrong that it is pretty easy to find passwords.

Feels like I should call @eholmila or someone who works with Qaiku...

Update here as well, we are working to find out what's going on and why as passwords should be saved only in scrambled form. We'll post updates here.

Yes, so far it works perfectly for me too

Here's an update of this situation: we are truly sorry.

If we can find any positive sides of this situation, it is that the issue was restricted and database dump was shown at maxium to only a few users (== users with swedish language tag who saw broken qaiku message in the ppl page eg. logged in in a certain time window, altogether six users) due to very unfortunate coincidences. The problem was not "side wide" at all, but in these cases every failure is too wide.

In database dump user's password was shown and unfortunately in some cases it was not scrambled. The password leaked in People page's "most active" list because of the misconfiguration. We'll send email to every user, altogether 30 people, whose password has been under the risk of been shown (scrambled or not) just to make sure.

Security in general has been our guiding star from the very beginning we started developing websites. In our work we use several security approaches and defensive programming to be sure that nothing like this would ever happen. Defensive programming means (among other things) that if one part should fail, it does not matter as the second or third part will save the day.

One of the basic rules of the security in the software development is that passwords are never saved in clear text and we sure thought we had nailed this one as it's the basis of everything. In Qaiku we use dedicated functions to scramble the passwords, but along the road something was broken for a certain time and because of that part of the passwords were not scrambled. The problem in question has already been fixed for some time, and none of the newer accounts were affected.

The irony is that after taking all the security cautions we were too sure of ourselves; double checking of the critical parts after the launch was not properly done and words cannot tell how angry we are with ourselves because of this. We hope you can forgive us and hopefully still trust us after this as well. We can, and we will do better.

What's happening next? We are going to have a long discussion about what went wrong, how we could have prevent it and after that we are going to make some changes to our development process to make sure this kind of situations in the future.

Even if Qaiku is in early beta, it doesn't explain a stupid stupid thing like this. We are genuinely ashamed and awfully sorry. We will learn from this.

Yours

@eholmila, @tepheikk and @TomiS

Pinging @herra, @minks, @LauriN and @cybette whose email address we don't have.

Thank you @eholmila for your fast response. Although this is truly shocking for everyone that realized what actually happened, my love to this great service will not fade away. I guess you have learned and I will trust you now. :) So stop to store passwords in plain text. ;) Good luck in the future.

@alexz, thanks a lot for your input and the text message! And what comes to passwords; yes, from now on we will double or triple check these things every time we make changes to anywhere near of that code.

@eholmila: just sent @cybette message via facebook. don't have her email too, but hope she'll read that asap. ;)

Thanks @Bubu1uk. 6am here, still not quite awake... What do i need to do?

@cybette: Change your password.

on mobile now, doesn:t seem possible from m-dot site. Let's try full site....

Changed. hope no damage is done for everyone involved. Now back to sleep and hope no one kicks me awake again...

I'd say the risk is very low (as the situation was very restcricted), but even if it's low it is there and then the only recipe is to react just to make sure. @cybette, sorry you had to wake up.

Thank for the quick info qaiku team. Password changed.

Tämä viesti on kirjoitettu vieraalla kielellä!

@eholmila Lisätietolinkki ei oikein toiminut...

@sakari, aa, sinulla ei liene englannin kieltä valittuna osattujen joukkoon? Lähetän saman viestin sinulle sähköpostilla.

@eholmila, I certainly didn't lose my trust or affection to your service. As you say yourself, this was a devastating incident, but hey, we're all here to learn from our mistakes. I think the number of people around us who could with a 100% certainty say they would have done a better job is very small. And, I think it became very clear from your text that you actually do know pretty damn well what you are doing and how to fix issues. With the prerequisite, of course, that we believe (as I do) that your account of what happened was truly frank.

I'm writing such a lengthy text because I think the way you reacted to this was very nice - bigger companies could learn from such communication. Thank you.

@eholmila thanks for your quick info, I've just changed my password. Let me add that, notwithstanding the issue was indeed severe, I did appreciate a lot your way in react to this situation: your mail is kind and explicative and do not try to minimise in any way possible mistakes from your side.

My love for this project remains unaffected.

@eholmila: Just to make it clear:
Did/do you or did/do you not store users' passwords as plain text?
If you did/do only for some users, how is it possible for an autenthication method to work for both these user groups at the same time?

...and a usability issue, too: as @sakari had problems with viewing posts in an unknown language, how about a button for setting a post's language as known right on the post?

password changed! luckly I dont reuse passwords so I guess the damage wasnt all that bad.

@eholmila next time, please use a quaiku address... until I read the thread, I thought it was a phishing scam

"No melhor pano cai o tinto"

@pompo Yes, unfortunately for certain time we did store passwords as plain text. However, that problem has now been fixed for some time and all passwords that are being generated at the moment are scrambled.

The authentication service is partly handled by the software platform we use. It can handle both cleartext and scrambled passwords as a core feature by using certain prefix for cleartext passwords.

@TomiS Thanks for making things clear.

@pompo called my nick and all I see is a notice about a froreing language. And no, not going to change that :) @eholmila send me the caption of this in email.

@eholmila oh the waking up wasn't due to qaiku, it was this, but i have a habit of checking email even when my eyes are not fully open :) i think i still had one eye closed when i changed my password...

@cybette: so hopefully you'll remember it even that you typed it with eyes nearly closed. :P

@bubu1uk yeah i do remember it coz i had to re-enter it later on for my 2 phones, 3 laptops and 1 desktop :D

@cybette: ur not geeky at all. :D i got only 2 laptops. :D

Here's the updated situation: as said none of the newer accounts are affected by this and all the passwords generated are scrambled. This means that if you change your password (even if you "change" your password to the same old password) the new password is scrambled.

However we still have the clear text situation with some of the old accounts. We are trying to minify the work that you, the users, have to do because of us. We will 'mass scramble' all the clear text passwords as soon as we get our mass scramble script ready and throuhgly tested in our dev servers (we really really don't want to mess this). There is some known hazards of doing this, so at the moment our best educated guess is that this should be done, tested and ready on this thursday (day after tomorrow). In the meantime we are taking all the possible cautions not to drop the ball again.

We already know that there will be some issues with some of the accounts, but we will contact these individuals personally by email or by pinging them if we don't have their email addresses.

Once again, we are very very sorry for all the inconvenience caused :(

New update: first part of this quite complicated issue is solved. We have now 'mass scrambled' all the clear text passwords that were suitable for this operation. We tested the solution and it should've worked well - if for some reason your or somebody's account you know doesn't work, please contact us! We contiune working on the secont part and with the "non mass scramble suitable" accounts and we will send these users email in the beginning of next week.