Urgent Server Maintenance

Follow

Comments

3 comments

  • Avatar
    John Price

    Hi,

     

    The server have now been rebooted. We are continuing to check to make sure all is ok for your return to work in the morning.

     

  • Avatar
    John Price

    HI,

     

    As of 2:15am, this morning, All server reboots and checks have been completed. And everything looks ok.

    If you notice any strange behavior, then let our Obsessive support team know straight away.

     

    We will update you on the base cause for this emergency maintenance over the next few days, but everything is now ok.

     

    Thanks for your patience.

     

    John Price

     

     

  • Avatar
    John Price

    HI, 

    I said I would tell you more about this, particularly because of the late notice you got.

    Whenever we or our hosting company become aware of a security vulnerability, whether in our systems or (as in this case) in third-party software, we face a balancing act.  We want to be as transparent as possible with you, our customers, so you can join us in taking actions to secure your data.  But we don’t want to advertise the vulnerability before it’s fixed — lest we, in effect, ring a dinner bell for the world’s cyber criminals.

    That’s the dilemma that we faced over this issue. The key, once a bug is identified, is to fix it swiftly and quietly.  This particular vulnerability could have allowed naughty people to read snippets of data belonging to our customers, or to crash the server. We wanted to flag the issue as quickly as possible, but we didn't want to do so until we had a software patch in place to address the vulnerability.

    When we learned of the security issue and realized its significance, the engineers at our hosting worked to develop and test an update, and organize a reboot plan.  The patch wasn't ready until the evening of Friday, Sept. 26.  As the technical details of the vulnerability were scheduled to be publicly released on Wednesday, Oct. 1.  We were faced with the difficult decision of whether to start our reboots over the weekend, with short notice to our customers, or postpone it until Monday. The latter course would not allow us to sufficiently bring our servers back on line for you to continue working Monday.  It would jeopardize the ability to fully update all the affected servers before the vulnerability became public, thus exposing our customers to heightened risk.

    We decided the lesser evil was to proceed immediately, at which time we got notified and thus notified you, of the need for an urgent server reboot.  Even then, to avoid alerting cyber criminals, we didn't mention the reason for the reboot.  We’re relieved to report that there has been no data compromise of any customers.  Now that the vulnerability has been fully blocked, the embargo on talking about it has been lifted so I can post this.

Please sign in to leave a comment.