Jump to content

(Archived) Serious security issue need help


Recommended Posts

Posted

Dear Team,

After deleting a 19,388 kb with sensible data both in the desktop version, syncronize and checked with the WEB version everything is OK, I have on my computer the "new" database I will work on both and which is occupying (based on settings in the Web version:)

Account summary

Username xxxxxxxxxxxxxx

Member since 04/03/2008

Quota 1 KB of 200 MB (0%)

I have actually two notebooks, with 4 notes that effectively must be under 700 bytes in total. (About trials in the notebooks called Prueba, Prueba2 and Prueba3)

HOWEVER MY DATABASE on my Desktop and which is now sync'd with the web STILL CONTAINS 19,388 kb!!!

So, I am in the situation where I am (as novice user) "convinced" I deleted my sensible data. I can see it is not on the Web (thanks to the settings info) and therefore I "think" my database on my Desktop will also contain only the new 1k data!

This is not true.

Here is the example of the actual .exb file whose data has been deleted and recreated from scratch:

DATA OF MY NEW DATABASE (the 1 k stated by the web and the expected data I suppose is contained and syncronized)

Ä 6first note in prueba. Ü R first note in prueba. ³ ‚blast year today yesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year images web page×& 0primera en prueba2H×' prueba 2 ha sido creada porque prueba no se sincronizo.... £ ‚Byesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last year today×* ‚Byesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last year today×- ‚Btoday yesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last year>×. extranamente veo prueba 1 que existe todavia como notebook `a ver si esta nota se sincroniza en la web > | a ver si esta nota se sincroniza en la web £ ‚Btoday yesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last yearL×5 extranamente veo prueba 1 que existe todavia como notebook ×6 :primera nota en prueba3×7 ‚" aqui estoy en prueba3 prueba1 no se ve por ninguna parte all notebooks says 3 notes in all notebooks (2 in prueba2, 1 in prueba3) ×8 ‚Btoday yesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last year×; ‚Btoday yesterday this week last week this month last month this year last year today yesterday this week last week this month last month this year last year

×< ok entendi×= ‚( ok entendi prueba y unsynced notes are local (only on my puter, no sync!!!!9 prueba2 y prueba3 are private and syncable. .......etc

BUT somewhere further

DATA OF OLD DELETED DATABASE in the same .exb file I suppose is containing only the above example and nothing else

(first part in french, data of bank transaction!!!!, rest of other note in english with sensitive info I sent to a developper):

dividendes exercice 2006 décision du 17 mai 2007 eur 1.40 par actions comme on a versé eur 0.58 en septembre 2006 intérimaire, le dividende brut payable à partir du 14 juin 2007 est de 0.82 par action. donc: dividendes nets avec strips (retenue de 15%)= 61,640 x 0.697 = eur 42,963.78 sans strips (retenue de 25%)= 54 x 0.615= eur 33.21 total eur 42,996.99 versé le 24 juin sur compte 890-3217852-84 ‰{Ô7 “z problem with trial renewal period i entered the new code and obtained 20 more days of evaluation but only working in an administrative session where it is possible to "save as" or to export to word etc.. unlike the first trial period where i was able to use these function in my limited account (normal user) which is my working session, with the new trial period i am now unable to save as (not appearing in contextual menu) and the file/export menu gives a new more menu (??) that leads to a blank submenu (??) this is quite abnormal and probably a bug? or perhaps because i entered the code in the limited account (i cannot remember). in this case, why should it work as administrative and not as limited user....??? and if i entered the code in my administrative session...why cannot i have my normal user account work normally (as it was on the first trial) just in case, here are the new codes that are appearing now in the ctrl-shift-e new code 1: 314275812 same code 2: 2322745 should you give a new unlocking code to try the whole process again, i'll be glad to do so. (inform clearly in which session i should enter the unlocking new code) best regards .......etc

A bank account number, dates, amounts, codes numbers in the example all totally visible. (Have been changed for security )

EVERYTHING is there!!! My whole deleted database with more than 500 notes is there... Relevant, secrete, sensible or just stupid, everything is there.

If somebody steals my computer and look into this .exb he has all my info at hand! So what can I do in the meantime?

And obviously, the other question is:

Is this to be corrected in a future release?

I cannot physically delete the actual database as it is the one that the WEB is using!!! It is my actual .exb database. But I need ASAP to create a real new database and get rid of that .exb file

Tom

Posted

What you need is to "vacuum" the database (in terms of SQLite engine we are using) to shrink it's size and release the previously allocated space, in order to completely wipe out the secure data.

In recent versions of Evernote, the "autovacuum" option is turned on, so your database becomes smaller automatically when you purge data from it; however, if you have created the database long ago, there is no "autovacuum" option in your database file (and, due to SQLIte limitations, you can't turn it on on any already existing tables).

Possible soultions:

A) Don't do anything -- this data wil be overwritten once you start putting new data into Evernote (this may take a while, though)

:( Recreate the database: if you have no local notebooks in the database, you can simply delete the .exb file, open Evernote, log in and sync your data from the service; the newly created database will be created with the "autovacuum" option turned on.

C) Manually invoce the "VACUUM" SQL command against the database file. Thir requires some knowledge of how to work with SQLite databases. One option is to install some GUI SQLite manager like 'DISQLite' (google for that word), open the .exb file in this manager, switch to SQL command window ant type in the 'VACUUM' command (without quotes). Vacuuming can take several minutes.

Posted

Dear Iafanasiev,

Thanks a lot for the info, I will try to do it immediately.

I am using the latest Windows desktop (3.0.0.594) (29654). And the database imported has been created with the latest version of 2.2.1.386

The 2.2.1 version do a vacuum, i can see that each time I delete a bunch of notes. So there might still be a small problem somwhere you could check.

Will keep you informed

Tom

Posted

Dear Iafanasiev,

PROBLEM REMAINS DELETING FROM DESKTOP OR FROM WEB VERSION. THE DESKTOP DATABASE STILL CONTAINS ALL THE DATA IN LEGIBLE FORM.

I created a new EN3 database on my PC thanks to your :D solution. The database is 96 KB

Then:

Creating a database in 2.2.1 from scratch of size 18,170 KB containing 82 notes.

Importing the brand newly created 2.2.1 database in EN3, size of the new .exb file is 19,308 KB

I made exactly the contrary of yesterday and instead of deleting from the DESKTOP version I did it now from the WEB version to see if there was a change in the behavior.

The log file states that the notebook was deleted, here it is:

Log opened on 2008/06/02 18:36:55 (UTC-4:00)

18:37 0% Authenticating user "xxxxxxxxxx" (changed my user name)

18:37 0% Connecting to preview.evernote.com

18:37 0% * loaded updateCount: 6718

18:37 0% Client updateCount=6718, server updateCount=6801

18:37 0% Retrieving list of changes from the server

18:37 0% Expunging 1 notebook

18:37 0% Expunged local notebook "TrialForEn3" with 82 notes

18:37 1% Expunging 82 notes

18:37 0% * saved updateCount: 6801

18:37 0% Session terminated normally, elapsed time: 3s

18:37 0% * sent: 332B, received: 3.4KB

18:37 0% * 1s (40%) spent in EDAM RPC

Log closed on 2008/06/02 18:38:50 (UTC-4:00)

The same error persists. The .exb file on my computer is even larger, it is now 19,333 KB.

The file on my PC is still there, data is still legible, nothing has changed.

And my settings on the web are weird, they state now:

Account summary

Username xxxxxxxxxxxxx

Member since 04/03/2008

Quota -22 MB of 200 MB (-11%) ???? Something is wrong here also!!!!

I would suggest you try personally both ways and see what is happening as the .exb file will remain on PC no matter from where you delete it.

I would like to know also why you deleted this thread from the forum as it is of public interest. (It wasn't visible today in the forum's list for day 31/05/08 when I posted it and got your answer.)

Best regards

Tom

Posted
I would like to know also why you deleted this thread from the forum as it is of public interest. (It wasn't visible today in the forum's list for day 31/05/08 when I posted it and got your answer.)

I'll let Igor answer your DB questions, but I just wanted to state the obvious: this topic was not deleted (or hidden, etc.). If it had been deleted, you wouldn't see it here at all. I think you just missed it in the topic list, since it got pushed down a ways due to other discussions.

Posted

Sorry Dengberg, not true

I could not send any reply to the forum because the thread was hidden. (The threads are ordered by reply by day so it is easy to check). It was NOT possible for me to answer from inside the forum because IT WAS NOT TO BE FOUND.

I was able to reply because I kept Iafanasiev with the Post Reply link into my EN database. And I replied from there.... from that link.

I know "I may be moderated" as you stated in a very Stalinic (or Pinochet) alike post, but we do not apreciate it. Do not "moderate" (or silence or hide or kill or....) people who are helping you make a living, on their own time and money. We do it gladly, no rewards, no medals.

You might not like some of our remarks, that is one thing. Eliminate our remarks is quite another.

By the way, other little detail not working.... you can drag PDF links into a new note, it will make a new note with the link and title but not Word or Excel... to be checked!

Tom

Posted

Tom -

I'm serious. No one moderated your post in any way. I even checked the Moderation logs.

Rhetorical tip: when someone tells you not to spam an Internet discussion forum, a comparison to Stalin (who murdered millions of people) is a bit hyperbolic. You might get better traction with a lighter comparison to someone like Nixon, or possibly Putin.

Thanks

Posted
Dear Iafanasiev,

PROBLEM REMAINS DELETING FROM DESKTOP OR FROM WEB VERSION. THE DESKTOP DATABASE STILL CONTAINS ALL THE DATA IN LEGIBLE FORM.

I created a new EN3 database on my PC thanks to your :D solution. The database is 96 KB

Then:

Creating a database in 2.2.1 from scratch of size 18,170 KB containing 82 notes.

Importing the brand newly created 2.2.1 database in EN3, size of the new .exb file is 19,308 KB

I made exactly the contrary of yesterday and instead of deleting from the DESKTOP version I did it now from the WEB version to see if there was a change in the behavior.

I stand corrected here. I said that:

In recent versions of Evernote, the "autovacuum" option is turned on

.594 still has no "autovacuum" option; this is fixed in our internal builds only, so will be available in next public release. Until then, try to use the options © or (A).

Posted

For Iafanasiev,

When you say "In recent versions of Evernote, the "autovacuum" option is turned on, so your database becomes smaller automatically when you purge data from it", and further ".594 still has no "autovacuum" option; this is fixed in our internal builds only, so will be available in next public release. Until then, try to use the options © or (A)." I thought that the recent version was the one we are using (mislead from your first post). Obviously, testing now is useless until your new release. Thanks for the tip.

I prefer option (:D (to recreate the database by simply erasing it and let the file be re-created from scratch automatically) as it effectively works flawlessly, it does reduce the .exb (to 96 Kb) thus erasing all private data still existing in the problematic remaining file. Option (A) is not recomendable as you only cover slowly the sensible data as you fill with new data, so it might still be unwise. Option © is too "technical" for many users.

Thanks

Regards

Tom

Posted

To Dengberg,

I will not comment the “hidden” or “not found” thread as there is no way to prove my point. The fact remains that, as I did not found it, I used the link provided by my saved reply in my EN 2.2.1.

About your rhetorical tip:

My sentence was related to your post

“This forum is for Evernote 3 users to discuss ideas and problems in a constructive way.

Re-posting the same grievances on multiple unrelated threads is forum spam. This does not help other Evernote 3 users discuss their issues and resolve their problems, and may require moderation.”

, in the thread Re: Error: 0% TException HTTP request failed at : viewtopic.php?f=30&t=6357&p=23612#p23612

I did not re-post the same grievances on multiple unrelated threads. I did mention the same flaws in three or four threads because they were about the subject treated. And the grievances, as you say, are justified.

It is by no means a spamming attitude and I felt quite bad about being accused of spamming when I try to be honest on one side, critic on another side, but yet positive in “nearly” all my posts (180-190 posts?)

You may have not appreciated my insistence on getting from your person a straight answer twice in the same thread. But that is because you are the champion of evasive answers, except when absolutely technical. And that is a problem with somebody who is in customer (or betatesting) relationship.

Again in this post, you are falling in the same problem.

You cannot give a rhetorical tip if you are confounding things and relating two unrelated premises. (That is called fallacy).

It is not your impression of spamming that led to the comparison with Stalin and Pinochet. It is the way you use the “...and may require moderation.” This is the point. It is taken as a menace, exactly the same way as it is in a dictatorship. And that is why I exemplified it with “moderate”, or "silence" or "hide" or "kill".... These were actually used in that way in real life (don’t forget I lived in Chile in those days).

If you had rephrased your post, things might have gone a completely different way. But your “tone” and attitude were way out of line.

Phil says in his first comment “I'd like to encourage all comments - good, bad and indifferent”, the forums (Evernote 2.1 and 2.2 Discussions, others) state: Please feel free to ask, answer questions and express your opinion” is exactly what I feel I am doing. And what I will keep doing.

I always had the best relation with Leo, Iafanasiev and Dnagy. They are kind, polite and honest. They never answered a question with unrelated and vague answers. They answer directly and to the point. And I reckon I do have a very bad relationship with you, with some reason on my side.

It is not your fault if EN3 is (still) filled with problems (everybody reckons that). It is not your fault this beta was released obviously too early. It is not your fault if nobody considers this Beta as an improvement of the previous version and are wondering about the future. And it is normal to receive complains and sometimes quite angry posts because your customers are feeling bad about all this or because they do not receive satisfying answers. If you cannot bear it, don’t stay in a forum job. You don’t have the skills or the “correct political attitude” to attend customers. That is not your fault either.

In the meantime, we still are betatesting because by God it is seriously needed!!!!! (and I guess helpful to some)

Do not answer to this post; there is no point to continue a sterile discussion. But give it a thought.

Tom

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...