You are wonderful. We’ve been experiencing this day by day for almost ten years now. Whether you’re getting in touch with a question, or a suggestion on how to improve mite: we experience savvy and knowledge, sympathy and kindness. And, most notably, helpfulness. For this, we thank all of you.

Today, we’d like to thank one person especially: Marcel Eichner. He informed us about a security vulnerability last Thursday. Thanks to his detailed description, we could immediately reproduce it. We deployed a security fix three hours later. Thanks for your support, Marcel!

One, we do not have indication for an exploit of the vulnerability. Two, personal data could not have been read or modified. Nevertheless, as a matter of principle we want to inform you in detail.

The problem had slipped in to our open data interface, the mite.api. Every project in mite has a unique identification number (ID), and is optionally assigned to a customer. Over the API, time entries can be created for a given project. The project is referenced by its ID. mite checks if a project with this ID exists, and whether it belongs to your own account. If the check fails, the project ID in the server response is set back to “null”.

To improve performance, the server response not only contains the project ID, but also, if existent, the ID, name, and hourly rate of the project’s customer. The vulnerability was hiding in the check outlined above, within its chronological order. If the project ID belonged to an account other than you own, the project ID was correctly nulled as described, but the server response contained, if existent, the described data of its customer.

The server response did not disclose to which mite.account the customer belonged. Thus, one could have found out that any company that uses mite works for a customer such as “Acme Inc.”, but not, which company. And fortunately, it is not highly sensible information that any undefined team on the world works for a customer such as “Acme Inc.”.

The vulnerability thus wasn’t a highly critical one, and it is now closed. But it was able to slip in, even though we take security very seriously. That’s why we are so thankful to Marcel. And that’s why we’d like to ask all of you to please get in touch with us immediately if you should become aware of any other weak spots in the future.

E-mail works best in such cases. Please find our PGP key as well as all other communication channels right here. Please describe as detailed as possible what you did, how mite reacted, and how mite should have reacted. Code snippets help a lot, also screenshots, information on the technology you use, or anything else that might be important to help us reproduce the problem – and fix it as fast as possible. Please support us in keeping mite healthy and bug-free. For all of you.

Julia in Tech talk

Our hoster will perform maintenance work in our main data center during the night from Monday to Tuesday, May 31st, between 0:00 and 6:00 AM CEST. They will update the core routers. During the given timeframe, internet connection might be disrupted for up to two hours. Unfortunately, mite won’t be available then.

We wish our hoster SysEleven a smooth course of these necessary works. And we ask for your understanding. Hopefully, these updates won’t interfere with your working hours.

~~
Update: Maintenance has been completed successfully at 4:18 AM. mite was continuously available.

Julia in Tech talk

Since yesterday night, mite is running on an updated version of its underlying application framework. Furthermore, we deployed some small fixes, e.g. performance improvements for users with a very high number of active customers and projects.

Deploying such updates is a routine job as a mite.caretaker. We document yesterday’s update here today because it temporarily introduced a bug. Fortunately, several users let us know immediately.

We have fixed the error as well as its temporary effects in the meantime. But we don’t want to sweep such problems under the rug, but instead inform you in detail about what went wrong and how we dealt with it. You should be able to count on that.

So here we go: We deployed the update yesterday evening at 19:42 CEST. If you locked a time entry thereafter, or edited it via bulk edit, or started or stopped the timer on it, its revenue was set to zero, so its correct hourly rate didn’t take effect. We fixed this bug with another update tonight at 1:58 CEST. Then, we fixed the revenue of all time entries that had been edited since 19:42 and had been affected by the bug. We finished these fixes tonight at 4:08 CEST. So the error is fixed, and all data is correct again. But if you edited time entries between yesterday evening, 19:42 CEST, and tonight, 4:08 CEST, and exported them right away, we’d like to advise you to nevertheless double-check their exported hourly rates and revenue.

An undocumented change in mite’s underlying application framework caused the bug. Of course, we run automated as well as manual tests before each and every update. But unfortunately, we did not catch this one. Thus, we’re already extending our testing procedures.

We are so sorry. And we don’t treat this lightly, you can be sure about that.

Please get in touch with as much details as possible via e-mail if you happen to stumble upon any other problem, so we can get rid of it it right away. We won’t back down from our ambition to keep mite bug free!

Julia in Tech talk

Tonight, starting at 8:15 PM CET (what time is that for me?) until approximately 9:15 PM, we’ll deploy some important updates to our servers. Within this time frame, mite won’t be available for about 10 minutes. We ask for your understanding.

~~
Update: Maintenance took us a little longer than expected, but went just fine. mite was unavailable for four minutes only. Thanks for having kept your fingers crossed!

Julia in Tech talk

At the tab »Reports => Time entries« and optionally on shared reports, you can export time entries to Excel, and at »Reports => Projects«, projects. We remodeled these export features. Until now, mite generated Excel-specific XML. Now, mite generates XSLX.

Techie lingo aside, this update should ensure one thing: a stable, smooth export of your data. In current versions of Excel as well as, hopefully, in future ones.

Please tell us if the new export format does not work smoothly for you, and specify the exact version you’re running. We tested the new export on Windows on Excel 2016 and 2013, on Mac OS on Excel 2016, 2013, 2011, Numbers 3.6, OpenOffice 4, and LibreOffice 5, as well as on Excel Online.

Julia in Tech talk

Developers, hear hear: we overhauled the documentation of our open data interface, the mite.api.

Besides the known XML format, all requests are now finally depicted in JSON, too. Furthermore, we described common mistakes, HTTP status codes, and some previously undocumented features such as sorting time entries, filter shortcuts, and HTTP caching.

Cheers to a more helpful documentation, and happy coding! Please be so kind and get in touch if you stumble upon any inconsistencies.

Julia in Tech talk

Since 14:05 CEST, mite is not available due to a problem in our primary data center. We’re terribly sorry, please, excuse us! We’ll do everything to get mite up and running again as soon as possible. Please visit Twitter to get the newest information on this issue, we’ll update continuously.

~~
Update: Since 14:51 CEST, mite is available and at your service again. Of course, your data was safe anytime. You can always rely on that.

The interruption occured because of a network/DNS problem in our main data center. We’ll discuss it in-detail with our hoster soon, and try to come up with improvements. Again: we are so sorry for this downtime!

~~
Update: The network problems were caused by a line fault in the greater Berlin area which resulted in large parts of the Internet at the internet exchange node BCIX not being reachable. Thus, our hoster has diverted traffic to another node. Since then, mite has been available and stable again.

Julia in Tech talk

Between 8:16 and 8:39 CEST this Friday morning, mite was unavailable for all users. We are so sorry for this interruption!

A kernel error in our main database server caused the downtime. All monitoring systems warned us right away. Two minutes later, we were investigating. Three minutes later, our hoster was hands on, and restarted the server in question. This fixed the root of the problem, but mite needed some more minutes to get back on track completely. Tracking timers were not interrupted. And of course, no data was damaged – it was not in danger at any time.

Again: we are very sorry. Nevertheless, we’d like to take this interruption as an opportunity to thank our hoster SysEleven. Since July 2012, a few hiccups for less than five minutes aside, mite was running steadily and reliably. This was the first big downtime in almost three years. That’s a great service level. Thanks for your support, SysEleven.

Julia in Tech talk

At the tab »Reports => Projects«, mite lists all of your projects with their total hours, revenue, and budget status. You can now export this information to Excel or as CSV file, too. The new feature sits in the right sidebar.

We’d like to thank all feedbackers. Hopefully, this update will support you in keeping all of your projects on track.

Julia in New features

Every now and then, when you add a new time entry at the tab »Time tracking«, you realize that the project you want to assign your time entry to has not been created yet. That’s why mite offers a shortcut to add projects right from the select menue.

When you click on the list item »Add project«, you have solely been able to pick a name for the new project.

Now, you can also choose which customer your new project should be assigned to.

Thanks to all of you who suggested this improvement! Hopefully, this little helper will smoothen your time tracking.

Julia in New features