• Posts 21
  • Member Since
  • Last Active
Email
All Posts Topics Started
Encryption/Security?

It is great that user data protection is being taken seriously in version 9.  I was going to let my subscription expire, but now that security appears to be getting the attention it deserves, I will stick around for another year.  I look forward to the final release.

How secure is WebBrain?
Hi Matt -

Thanks for passing the feedback on.  Unfortunately, until I'm convinced of the WebBrain's security is being monitored and pro-actively maintained and kept up-to-date against the security threats, I've decided to stop using it for synchronising anything beyond general reference materiel.

TheBrain is incredibly powerful software that I was on the verge of giving up on due to data security concerns, however rather than abandoning the solution entirely, I'm going to work around web security by using the ZIP function to transfer brains via USB between computers.  This is nowhere near as convenient as using the webbrain for synching brains, but security trumps convenience. 

I may have to rethink about whether I maintain a yearly subscription, or simply purchase each new version of TheBrain as it comes out, because use of the webbrain and synchronisation is the main benefit of a subscription - and if I'm not going to use it, then what is the point of paying an annual fee for software that only goes through a major version update once in a blue moon?

On a very positive note:  it is good to see that the new version 9 of TheBrain has moved away from using Java.

I hope TheBrain takes the opportunity to get its security setup audited and certified by a third-party so those of us who are concerned about the privacy and security of our data can continue using the service with confidence.

Kind regards
Calendar missing?
It is very good to hear that the calendar is not being dropped from TheBrain 9.  The calendar is a key feature for how I use the brain to track time allocated to clients and projects throughout the day.  When I am working on a particular issue or client project, I create a calendar event within the brain for the relevant project's brain node.

The brain's calendar feature is extremely powerful and keeps me coming back to TheBrain as an organising and time tracking tool.
How secure is WebBrain?
Hello TheBrain -

As part of your shift to a better security model, please put proactive monitoring in place to detect when your site's certificates expire or are misconfigured.

Currently, the download website https://assets.thebrain.com/ from which version 8.0 downloads has an invalid certificate and/or configuration.  Windows 10 reports that the download cannot be confirmed being from thebrain.com and if you go directly to the website, within the Edge Browser the following is reported:  "

There’s a problem with this website’s security certificate

This might mean that someone’s trying to trick you or steal any information that you send to the server. You should close this site immediately."

Browsing to the site using Chrome from within my client's corporate firewall, the certificate is reported as failed due to a common name mismatch, where the host name is 'assets.thebrain.com' but the common name is '*.cloudfront.net'.

Maintaining and proactively monitoring your certificates and public key infrastructure is no longer optional now-a-days.  It does not fill me with confidence that this is the third time over three separate occasions, I've reported to TheBrain that your public websites' certificates are invalid or misconfigured.  You really should be proactively monitoring and managing these things.

Please get on top of certificates.  Seeing that public-facing certificates are not being proactively monitored and maintained doesn't make me confident that the our data on the other side of the "SSL" connection is being looked after.

Please post when the SSL issue has been resolved, so I may confidently download version 8 from your site.  I do not trust downloads coming from unverified web servers.

It would also be nice if thebrain.com would proactively protect its customers by removing server-side website vulnerabilities as I documented in my previous comments above.

Kind regards 

How secure is WebBrain?
Hi All,

I've used Microsoft Message Analyzer to perform a network trace of the SSL connection to webbrain.com when connecting with the Windows 10 Edge Browser and then the latest TheBrain 8.0.2.2 application.

Under both circumstances, the SSL connection negotiated using TLS and a secure cipher.

Interestingly, accessing the webbrain.com using TheBrain application uses a weaker cipher (yet still secure) than when connecting using the Edge Browser.

The Edge Browser session uses the cipher:   TLS_ECDHE_RSA_AES_256_CBC_SHA384
TheBrain 8.0.2.2 app uses:   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

In either case, I'm feeling pretty confident that as long as I'm running on Windows 10 with the latest patches, the Windows 10 client will provide protection against the LogJam and Poodle attacks whether I connect using a browser or the Brain application.  However, anyone living dangerously and still using XP, or some other out-of-support or unpatched operating system, may want to exercise caution until WebBrain removes the server-side vulnerabilities as your client may allow an insecure SSL connection.

I think I've exhausted the subject from my side and will wait to hear back from WebBrain's engineers.

Kind regards


TheBrain8Trace.png
How secure is WebBrain?
Hi All,

For testing whether your web client is vulnerable to the Logjam Vulnerability (the cipher-strength vulnerability exposed at the webbrain.com website - I was wrong describing it as key exchange), try using the beta SSL vulnerability test at: https://dev.ssllabs.com/ssltest/viewMyClient.html

According to the website, Edge on the latest Windows 10 build and Windows 10 mobile build are not vulnerable to either Logjam or Poodle, therefore I believe I'm safe accessing the webbrain.com as long as I use it from these browsers. Haven't had a chance to test OSX Sierra's Safari yet, but I suspect it will not be vulnerable.

I still do not know the status of the Logjam vulnerability in regards to The Brain windows application which runs on Java. 

The silver bullet for all of this is for security to be implemented at the web server, rather than relying upon client-side security.

Kind regards,
How secure is WebBrain?
Since posting about the SSL vulnerabilities of the webbrain.com website, I have learned that most modern browsers and operating systems have been patched by their respective developers to prevent the poodle attack exploit from the client-side.

The website https://www.poodletest.com/ will test whether a web browser is vulnerable.

Thankfully, none of the browsers that I use to access Webbrain.com are vulnerable to the poodle attack; e.g., Windows 10 Mobile Edge Browser; Windows 10 Edge Browser; OSX Sierra Safari browser.

Users of older browser though should be warned that they may need to manually disable SSL3 to prevent themselves being vulnerable.

Also, it appears that since January 20, 2015 with java releases (JDK 8u31, 7u75, 6u91 and above) the Java Runtime Environment has disabled SSLv3 by default; The Brain version 8 running on my Windows 10 client is using JDK 8u101 - so unless it has been intentionally enabled, The Brain client should be safe - which I assume it is.

Oracle has provided instructions for checking/disabling the Java Runtime for SSLv3 at:
https://java.com/en/download/help/disable_sslv3.xml

And although I'm now pretty confident that "my TheBrain experience" is safe from the SSLv3 Poodle attack due to security measures implemented client-side,
it should still be dealt with server-side as well.

I've just heard back from Patrick (@theBrain) - as I've just finished researching and writing this- that The Brains' engineers are looking into it.
How secure is WebBrain?
SSL vulnerabilities analysis of webbrain.com

Hi WebBrain,

I've run an analysis of the SSL security of the webbrain.com site using the Qualsys SSL Labs online service.
https://www.ssllabs.com/ssltest/index.html

The analysis reports that webbrain.com has not been secured against SSL3 Poodle attack and supports an insecure key exchange mechanism.

I know that the Poodle attack was big news a year or two ago and websites moved to secure against it.

I assume that something may have been missed in the configuration/reconfiguration of your web servers and want to make you aware of the security vulnerability.

Unfortunately, I've been unable to attach the PDF report generated by Qualsys to this message. You can run the report yourself at the link above and the output will provide instructive links about the implications of the vulnerabilities and how to configure and protect against them.

I only came across the Qualsys tool because I'm considering signing up for another web service "YNAB - You Need A Budget", and they provide in their write-up of their security policies that they receive a A+ rating by Qualsys for SSL Security.

I hope you're able to address the issues as I'm understandably concerned about the security of my data.

Kind regards
How secure is WebBrain?
Thank you for the quick response.
How secure is WebBrain?
Internet Explorer and Chrome are both reporting that thebrain and webbrain.com's certificates have expired.

"Your connection is not private

Attackers might be trying to steal your information from webbrain.com (for example, passwords, messages or credit cards). NET::ERR_CERT_DATE_INVALID"

Is anyone else seeing this?
Feedback and New Features
For peace of mind, is it possible to have installation download files hosted on a secure website 'https' connection at The Brain? 
can't synch with Google Calendar
I'm happy to report that Google Calendar Sync appears to be working with The Brain 8 beta.  I haven't played with it rigorously, but so far, so good.  

It really should have been sorted out in version 7, which had it listed as a salient feature; yet nonetheless I am very, very happy that Calendar synchronisation will likely be working in the final release of The Brain 8.

I was so close to cancelling my subscription out of frustration and the perception that the product had been abandoned.  I'm glad I didn't because the new beta looks really good and the new and fixed functionality is quite good.  For me, being able to organise thoughts chronologically and view my  thought events across calendars on my various devices through synchronisation to Google makes it a great diary and GTD tool.
can't synch with Google Calendar
The reason that Google Calendar synchronisation is so important is that it is The Brain's link into Google's cloud and thus every other application and/or workflow that connects to Google's cloud.

I synchronise Google calendar into Apple's iCal application; it [is/would be] extremely powerful that anything I might put into The Brain's calendar shows up within iCal on my Mac, iPhone and iPad - and vice-versa.

When calendar synchronisation finally works, this will be a killer feature for The Brain - especially for those of us who use it for Time Management.  I love it as a GTD management tool, but with the calendar synchronisation broken, it is extremely hobbled.

Unfortunately, unless it can be proven otherwise, you should stop promoting the Google Calendar synchronisation feature until you can actually make it work.  It doesn't work with the latest version of The Brain, be it the Windows or OSX client.

Prove to me that The Brain's Google Calendar synchronisation works, and I will fall silent.  Tell me exactly how you have configured Google Calendar and The Brain (within the latest version) in order for the feature to consistently work, and I will be happy.

But until then, you should stop featuring Google Calendar synchronisation as a feature of The Brain, because for now, it is not.  It is false advertising, and I'm pretty sure under EU regulations, you can be penalised.

I do love The Brain, but this issue which continues to be outstanding is VERY FRUSTRATING!  You are stopping the solution from excelling.

I do not know how many programmers you have working on The Brain, but could you please divert one of them to sort out the bugs in The Brain 7, for I assume these bugs are not being ironed out due to work on the next release - The Brain 8.

Despite the failure of The Brain to deliver on Google Calendar synchronisation, I still love the product; for, to my knowledge, there is no other solution that fills the niche; but please, solution monopoly does not justify complacency.

I will gladly offer assistance if need be; but please let us not pretend that the feature works, and if should you think otherwise, please provide proof beyond a canned webcast.

Best wishes (and, despite it all, still love the product - but please do not continue to test the community's patience.)
MNICHOLS2K
 
can't synch with Google Calendar
Could the 'a.' prefix at the beginning of the "a.modificationDatetime" ORDERBY clause be a typo, which simply changing the SQL query to "ORDER BY modificationDateTime DESC" would fix?

"EXCEPTION IN SQL:SELECT modificationDateTime FROM AttributeTimestampData WHERE brainId = ? AND thoughtId=?  ORDER BY a.modificationDateTime DESC"

to

"EXCEPTION IN SQL:SELECT modificationDateTime FROM AttributeTimestampData WHERE brainId = ? AND thoughtId=?  ORDER BY modificationDateTime DESC"

The error reports that the column "a.modificationDateTime" is not found.  If the "a." prefix is the problem you would think it would be easy enough to remove it.

I don't have direct access to the database table to confirm the existence of the column.
can't synch with Google Calendar

FEEDBACK to THEBRAIN Developers in regards of failure of TheBrain to Export to Google Calendar after a successful initial synchronisation:

I have found the OUTPUT.LOG file for troubleshooting the issue, and have gathered the following.  Please pass onto the programming team.

Although the first Google Calendar synch works for a fresh database (that is, data is synced both ways), subsequent syncs fail.  Subsequent syncs only import events from Google to TheBrain, but NOT from TheBrain to Google.

It appears that when attempting to make subsequent Google Calendar syncs, TheBrain java code attempts to query a non-existent COLUMN within the table ATTRIBUTETIMESTAMPDATA which then causes java to fault with a NullPointerException ('null' as in what it has been asked to retrieve, does not exists).  The SQL query is attempted three times before the program gives up.

The specific query and exception (which is attempted 3 times) is the following:

EXCEPTION IN SQL:SELECT modificationDateTime FROM AttributeTimestampData WHERE brainId = ? AND thoughtId=?  ORDER BY a.modificationDateTime DESC

org.h2.jdbc.JdbcSQLException: Column "A.MODIFICATIONDATETIME" not found; SQL statement:

SELECT modificationDateTime FROM AttributeTimestampData WHERE brainId = ? AND thoughtId=?  ORDER BY a.modificationDateTime DESC [42122-164]

at org.h2.message.DbException.getJdbcSQLException(DbException.java:329)

at org.h2.message.DbException.get(DbException.java:169)

at org.h2.message.DbException.get(DbException.java:146)

at org.h2.expression.ExpressionColumn.optimize(ExpressionColumn.java:138)

at org.h2.command.dml.Select.prepare(Select.java:799)

at org.h2.command.Parser.prepareCommand(Parser.java:218)

at org.h2.engine.Session.prepareLocal(Session.java:415)

at org.h2.engine.Session.prepareCommand(Session.java:364)

at org.h2.jdbc.JdbcConnection.prepareCommand(JdbcConnection.java:1121)

at org.h2.jdbc.JdbcPreparedStatement.<init>(JdbcPreparedStatement.java:71)

at org.h2.jdbc.JdbcConnection.prepareStatement(JdbcConnection.java:267)

at com.thebrain.common.b.u.c(cdf:141)

at com.thebrain.common.b.u.<init>(cdf:236)

at com.thebrain.common.b.y.M(acf:203)

at com.thebrain.common.b.y.M(acf:60)

at com.thebrain.common.b.e.G(mef:1466)

at com.thebrain.common.b.e.a(mef:1571)

at com.thebrain.personal.a.g.c.M(sod:461)

at com.thebrain.personal.a.a.l.i(zhd:489)

at com.thebrain.personal.h.a.x.f(upd:295)

at com.thebrain.personal.h.a.x.M(upd:425)

at com.thebrain.personal.h.a.x.M(upd:292)

at com.thebrain.personal.h.a.x.M(upd:146)

at com.thebrain.personal.view.h.ed.run(xad:1173)

at java.lang.Thread.run(Thread.java:680)

1536120 [Thread-3501] ERROR com.thebrain.common.b.e - Exception executing SQL SELECT modificationDateTime FROM AttributeTimestampData WHERE brainId = ? AND thoughtId=?  ORDER BY a.modificationDateTime DESC

java.lang.NullPointerException

count post selected

Newsletter Signup  Newsletter Signup        Visit TheBrain Blog   Visit TheBrain Blog       Follow us on Twitter   Follow Us       Like Us on Facebook   Like Us         Circle Us on Google+  Circle Us         Watch Us on Youtube  Watch Us       

TheBrain Mind Map & Mindmapping Software     Download TheBrain Mind Mapping Software