Glitch fixed.

Or should that be s..t fixed?

Anyway, I have fixed the bug that caused the problem in two places. It is now impossible to enter a blank email address via the front end screens, and its also impossible (in case anyone feels like getting clever and calling the thing directly) fixed the back end such that it will not accept blank email addresses when searching for users, since it doesn’t make much sense to return these to anyone anyway!

Again, I apologise. This should never have happened and it should never happen again…

I was affected too…

In a bizarre twist that I have only just discovered, I am unable to access my Jabber account because;

The password has been changed…

All JABBER USERS who did NOT have an AtomIC account before they used our Jabber service (ie those that created the Jabber account by USING a Jabber client) will need to mail support@atomic-systems.com to have their password reset…

SORRY!

Again.

To the bottom and beyond

I have found out what happened with the new password system and I’m not sure how to say this without seriously losing face, but;

It IS a system glitch that caused the problem.

In a rather obscure chain of events that took place last night, I can confirm that exactly 1000 users (though that is a coincidence) were emailed new passwords, three times, as a result of a failure of our code to check what now appears to be an obvious data input error…

The scenario is thus;

On the screen which you are supplied with if you cannot login to the system, is a text input box, and a button. If you merely click the button, WITHOUT entering a valid email address the system will reset the passwords of ANYONE and EVERYONE who has NOT set either their private email, or their public email. Users who have not set their private email will receive NO notification of the change, because the system cannot send it to you, since your email address is invalid. However, users who have a private email address, and a blank public email address (a perfectly acceptable and indeed for some people’s peace of mind, to remain anonymous to their readers, a required situation) will have received notification that their password has changed.

The bottom line is this;

  • There was NO hack attempt. There were exactly 11 accesses to the new password script before midnight last night (three in short succession), and 26 between midnight and the time Matt disabled the change password system. That is not indicative of a hack attempt.
  • NO data has been lost – though the inconvenience is perhaps incalculable.
  • There was no likelihood of your accounts being compromised – the person who made the mistake on the change password form will NOT have received your new passwords, because there is no way to send them to him/her
  • Abovementioned person almost certainly did NOT do this deliberately. Indeed, to do so he would have to have read our code and realised the bug. (Something I realised as soon as I saw it).

All in all this is just rather an embarrassing wake up call for us that we must NEVER take the security of the system for granted, but fortunately this time, the cause was most definitely benign.

If you have any questions, please direct them to me (steve@atomic-systems.com) directly, as Matt hasn’t been involved in this particular investigation and you’re not likely to get a quick answer from him this weekend anyway. Alternatively, and always preferred, please use support@atomic-systems.com.



AtomIC Systems IP Ltd wishes to apologise to the 1000 or so users who have been inadvertantly troubled by this situation. We do take your privacy and the containment and security of your data seriously (and we thank (F-Secure Corporation for their generous sponsorship some time ago, which we still use) and you can see our committment to your privacy at http://www.deardiary.net/privacy.shtml

Again, our sincere apologies to all who were worried by the mass mailing of new passwords.

Steve.

Password Change Disabled

Until we can get more time to investigate the problem (I have family over this weekend for example!) I have disabled/removed the code that does the password changing so now if this is someone being an asshole they will just be greeting with a 404 note now.

Atleast you can be sure your passwords will now remain constant for more than five minutes.

I am going to be so pi**ed off if this turns out to be someone playing games, and if you’re reading this, we will find you and we will push this through the legal system. *sigh*

Matt.

Unwanted Password Changes

As yet we do not know whether it is a system glitch or whether someone has managed to write something that is being very annoying.

Please remember, no-one can gain access to your diary by resetting the password, they cannot ‘guess’ what it might be set to, and they won’t receive the e-mail thats sent with the new one, since that will come to you, assuming you have your mail address setup properly.

We will be investigating the situation throughout the course of today, and will let you know more as anything comes up.

Apologies for the inconvenience, please don’t panic, no-one can get your password through this method.

Steve.