Jump to content

engberg

Employee Alumni
  • Content Count

    8,894
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by engberg


  1. Hi, JaneDoes -

     

    Our client applications (e.g. Evernote for iPhone, Evernote for Mac, etc.) are written so they are capable of being used against either the evernote.com service or the yinxiang.com service. Once you're signed in to evernote.com, the application "knows" that you're an Evernote user and should never communicate to the yinxiang.com service.

     

    Before you log in (e.g. on a new install), the software reaches out to get some basic configuration information about the different services. This just sends the service a request that says something like "My preferred language is US English". The client gets information about the service, including the correct URL to open Support tickets for that service, whether Twitter posting is enabled, etc.:

    https://dev.evernote.com/doc/reference/UserStore.html#Fn_UserStore_getBootstrapInfo

    So that doesn't send any personal identifying information or data, it just retrieves the canned configuration information for the service in question based solely on your OS language preference.

     

    Under normal circumstances, most clients will just get all of this information from servers on evernote.com unless your OS language is set to "Simplified Chinese". But if your client can't get information about the yinxiang service from evernote.com for some reason, it may go directly to the source to ask about the configuration settings for the China service.

     

    You happened to hit this on Thursday morning, when you launched the Mac client (with no account signed in yet) at the same time we were having a 30-minute service interruption (see http://status.evernote.com/).

    So your client tried to learn about both services from evernote.com, the servers were unable to reply and the client decided to do a one-time lookup for the yinxiang.com configuration information by asking yinxiang.com servers directly.

     

    Now that you've signed in to the client, you should see that the Evernote application never tries to connect to yinxiang.com again. (I've been running Little Snitch on my MacBook for at least a year, and have never seen it.)

     

    One thing to note about Evernote and Little Snitch ... most of the time, our application only talks to our own servers. But web clips can sometimes throw that off if you manage to clip a web page that includes a reference to the original image on a remote web server instead of copying and storing the image inside your Evernote account itself. In this case, you may see your client go make a network request to that remote web server to retrieve the image when you view the note.

    We try to avoid this in our own software by fetching and storing the images at the time of the clipping, but that can occasionally go awry if we don't have permissions to download the image at the time of the clip, or if the HTML snippet is inserted into a note from a third-party application that doesn't do the right gyrations.

     

    Thanks,

    Dave

    • Like 5

  2. My pleasure!

     

    There's a bit too much on this thread to try to wade in point-by-point on page 9, but I want to make sure everyone knows that we do hear your concerns and take them seriously.

     

    While we have a great team who works hard to balance the needs of our 100+ million users, we obviously screw up from time to time and introduce bugs or make UI changes that make some tasks harder (while trying to improve others).

    We'll keep working to get things right, and the feedback from the forum and from Support tickets is a huge part of that.

     

    But we do feel that our top responsibility is to be the best custodians of your life's work. Above all else, we want to make sure your data is protected. Hopefully, this will let you trust us to keep managing the things you write and collect.

    But we also feel extremely strongly that it's your right to take your information elsewhere if we should ever lose your trust:

    http://blog.evernote.com/blog/2014/06/03/evernotes-three-laws-data-protection-update/

     

    Thanks

    • Like 6

  3. Illustrious -

     

    I spent a couple of hours researching your ticket yesterday and this morning to help Terry answer your questions. We take allegations of security risks extremely seriously.

     

    While I understand your frustrations, I'm positive that Evernote did not disclose anything from or add anything to your account without your consent (or the consent of someone logged into your account using the web browser on your computer).

     

    In both of the cases you mention in June, someone on your computer chose to authorize those third party web services to create notes within your Evernote account. Shortly after each of these authorizations, those services took non-Evernote data and used it to create notes and notebooks in your account. None of your notes were accessed by those services, and none of the data they put into your account came from other Evernote accounts.

     

    I say that this came from your own computer because I went through our logs to confirm that the same IP address had been used in surrounding days to access your account from your client, web clipper, and web browser. And the web browsers used in surrounding days was identical (in "User-Agent") to the one that authorized Springpad import to Evernote.

     

    Since you deleted the notes that Springpad imported from your account, and since their service is no longer available, I can't rule out the possibility that they pushed notes from the wrong Springpad account into Evernote after your browser granted them access. But it's also possible that the content came from the right authenticated Springpad account. (We heard no other reports of incorrect behavior from any of the people who did the same import.)

     

    However, I absolutely agree with your general recommendation that Evernote users should choose carefully which third-party applications they permit to access to their Evernote accounts, just like you should choose carefully what applications should have permission to read your email or access your banking web site.

     

    We try to help with this decision by enumerating exactly which capabilities you're granting each application. I.e. some applications have permissions to read your notes, others do not. We encourage developers to request only the permissions they absolutely need, and we've added some safety features (e.g. "Note History") to protect against accidental note damage from third party applications.

     

    And we will, of course, terminate the access of any applications that are actually mishandling the data of the Evernote users who have granted them access.

    • Like 9

  4. The clipping works correctly on the released version of Chrome (version 10), but the unstable testing versions 11 and 12 broke our clipping. We should have a fix in a few days, but I always recommend people stick with the released version of software unless you absolutely need to use a beta (e.g. you're a software engineer testing your own web site for compatibility).


  5. The clipping works correctly on the released version of Chrome (version 10), but the unstable testing versions 11 and 12 broke our clipping. We should have a fix in a few days, but I always recommend people stick with the released version of software unless you absolutely need to use a beta (e.g. you're a software engineer testing your own web site for compatibility).


  6. The best way to clip web pages into Evernote from IE is to use the native clipper that's built into our Windows client. In order to use the native clipper, just make sure that you've got the latest version of Evernote for Windows installed (or, if you don't have Evernote for Windows, download it from http://www.evernote.com/about/download/windows.php). If Evernote for Windows is running on your system, you can right click inside any web page in IE and clip the page to Evernote. Clipping web pages in this fashion happens completely on your local computer and does not involve any servers other than the site you're clipping from. Additional clipping options can be found under the little Evernote icon in the system tray.

    If you don't want to use the native clipper, you can install the Evernote bookmarklet into IE. However, there is a security setting in later versions of IE which prevents the Evernote bookmarklet web clipper from executing correctly. You can disable this setting by going to Tools->Internet Options->Security, turning off "Enable XSS filter" and restarting IE. This will allow the bookmarklet clipper to work but may increase your vulnerability to "cross site scripting" attacks on malicious web sites. Basically, this setting in IE tries to prevent a certain type of security risk by disabling features in the browser which are used by several legitimate services, among them our clipper. If you are not comfortable changing this security setting, you should use one of the other two clipping options.

    The third way to clip pages from IE is to cut and paste the URL and any desired portion of the web page directly into Evernote. This is the least convenient option but it doesn't require installing any software or changing security settings in IE.

×
×
  • Create New...