Planet Drupal

Syndicate content - aggregated feeds in category Planet Drupal
Updated: 39 min 42 sec ago

Lullabot: Invaders! Securing Smart Devices on a Home Network

Wed, 05/24/2017 - 18:00
div class=rich-textdiv class=rich-text__contentpAs a part of Lullabot#x2019;s security team, we#x2019;ve been keeping track of how the Internet of Things plays a role in our company security. Since we#x2019;re fully distributed, each employee works day-to-day over their home internet connection. a href= subreddit reminds us/a that most #x201C;smart#x201D; devices are actually quite dumb as far as security goes. With a href= like Mirai actively focusing on home IoT devices including cameras/a, we know that anything we plug in will be under constant assault. However, there can be significant utility in connecting physical devices to your local network. So, my question: is it possible to connect an #x201C;IoT#x201D; device to my home network securely, even when it has known security issues?/p pAn opportunity presented itself when we needed to buy a new baby monitor that supported multiple cameras. The a href= MBP853CONNECT/a was on sale, and included both Wifi and a #x201C;regular#x201D; proprietary viewer. Let#x2019;s see how far we can get./p h2The Research/h2 pBefore starting, I wanted to know if anyone else had done any testing with this model of camera. After searching for #x201C;a href=;oq=motorola+hubble+securityamp;aqs=chrome..69i57j0.262j0j4amp;sourceid=chromeamp;ie=UTF-8motorola hubble security/a#x201D; (Hubble is the name of the mobile app), I came across a href= To Hack: Reverse engineering an IP camera/a. This article goes into great detail about the many flaws they found in a different Motorola camera aimed at outdoor use. Given that both cameras are made by a href=, and connect to the same remote services, it seemed likely that the MBP853 was subject to similar vulnerabilities. The real question was if Motorola updated all of their cameras to fix the reported bugs, or if they just updated a single line of cameras./p pThese articles were also great resources for figuring out what the cameras were capable of, and I wouldn#x2019;t have gotten as far in the time I had without them:/p ullia href= the Motorola Blink 1 Baby Monitor (Part 2)/a/li lia href= the Motorola Blink Baby Monitor/Camera/a/li /ul h2Goals/h2 pI wanted to answer these three questions about the cameras:/p olliCan the cameras be used in a purely #x201C;local#x201D; mode, without any cloud or internet connectivity at all?/li liIf not, can I allow just enough internet access to the camera so it allows local access, but blocks access to the cloud services?/li liIf I do need to use the Hubble app and cloud service, is it trustworthy enough to be sending images and sounds from my child#x2019;s bedroom?/li /ol h2The Infrastructure/h2 pI recently redid my home network, a href= to an APU2/a running a href= for routing/a, combined with a a href= UAP-AC-PRO/a for wireless access. Both software stacks support VLANs#x2014;a way to segregate and control traffic between devices on the same #x2018;physical#x2019; network. For WiFi, this means creating a separate SSID for the cameras, and assigning it a VLAN ID in the UniFi controller. Then, in OPNSense, I created a new interface with the same VLAN ID. On that interface, I enabled DHCP, and then set up basic firewall rules to block all traffic. That way, I could try setting up the camera while using Wireshark on my laptop to sniff the traffic, without worrying that I was exposing my real network to anything nefarious./p h2Packet Sniffing/h2 pOne of the benefits of running a #x201C;real#x201D; operating system on your router is that all of our favorite network debugging tools are available, including tcpdump. Since Wireshark will be running on our local workstation, and not our router, we need to capture the network traffic to a separate file. Once I knew the network interface name using codeifconfig/code, I then used SSH along with code-w -/code to reroute the packet dump to my workstation. If you have enough disk space on the router, you could also dump locally and then transfer the file after./p div class=codepre code$ ssh root@router-ip-or-hostname tcpdump -w - -i igb0_vlan3000 gt; packet-dump.pcap /code/pre/div pAfter setting this up, I realized that this wouldnapos;t show traffic of the initial setup. That#x2019;s because, in setup mode, the WiFi camera broadcasts an open WiFi network. You then have to use the Android or iOS mobile app to configure the camera so it has the credentials to your real network. So, for the first packet dump, I joined my laptop to the setup network along with my phone. Since the network was completely open, I could see all traffic on the network, including the API calls made by the mobile app to the camera./p /divdiv class=rich-text__embedundefined/divdiv class=rich-text__content h2Verifying the setup vulnerability/h2 div class=quote quote--highlightblockquote class=quote__quotediv class=quote__content Letapos;s make sure this smart camera is using HTTPS and keeps my WiFi password secure. /div/blockquote/div pI wanted to see if the same setup vulnerability a href= by Context/a disclosing my WiFi passwords applied to this camera model. While I doubt anyone in my residential area is capturing traffic, this is a significant concern in high-density locations like apartment buildings. Also, since the cameras use the 2.4GHz and not the 5GHz band, their signal can reach pretty far, especially if all you#x2019;re trying to do is emread/em traffic and not have a successful communication. In the OPNSense firewall, I blocked all traffic on the #x201C;camera#x201D; VLAN. Then, I made sure I had a unique, but temporary password on the WiFi network. That way, if the password was broadcast, at least I wasn#x2019;t broadcasting the password for a real network and forcing myself to reset it./p pOnce I started dumping traffic, I ran through the setup wizard with my phone. The wizard failed as it tests internet connectivity, but I could at least capture the initial setup traffic./p pIn Wireshark, I filtered to stronghttps traffic:/strong/p /divdiv class=rich-text__embedundefined/divdiv class=rich-text__content pOh dear. The only traffic captured is from my phone trying to reach code66.111.4.148/code. According to codedig -x, that IP resolves to - in other words, my email app checking for messages. I was expecting to see HTTPS traffic to the camera, given that the WiFi network was completely open. Let#x2019;s look for raw HTTP traffic./p /divdiv class=rich-text__embedundefined/divdiv class=rich-text__content pThis looks promising. I can see the HTTP commands sent to the camera fetching it#x2019;s version and other information. Wireshark#x2019;s #x201C;Follow HTTP stream#x201D; feature is very useful here, helping to reconstruct conversations that are spread over multiple packets and request / response pairs. For example, if I follow the #x201C;get version#x201D; conversation at number 3399:/p div class=codepre codeGET /?action=commandamp;command=get_version HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.1; Nexus 6P Build/N4F26O) Host: Connection: Keep-Alive Accept-Encoding: gzip HTTP/1.1 200 OK Proxy-Connection: Keep-Alive Connection: Close Server: nuvoton Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Pragma: no-cache Expires: 0 Content-type: text/plain get_version: 01.19.30 /code/pre/div pLet#x2019;s follow the setup_wireless command:/p div class=codepre codeGET /?action=commandamp;command=setup_wireless_saveamp;setup=1002000071600000000606blueboxthisismypasswordcamera000000 HTTP/1.1 User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.1; Nexus 6P Build/N4F26O) Host: Connection: Keep-Alive Accept-Encoding: gzip HTTP/1.1 200 OK Proxy-Connection: Keep-Alive Connection: Close Server: nuvoton Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0 Pragma: no-cache Expires: 0 Content-type: text/plain setup_wireless_save: 0 /code/pre/div pThat doesnapos;t look good. We can see in the GET:/p olliThe SSID of the previous WiFi network my phone was connected to (#x201C;bluebox#x201D;)./li liThe password for the #x201C;camera#x201D; network (thisismypassword)./li liThe SSID of that network./li /ol pPresumably, this is patched in the latest firmware update. Of course, there#x2019;s no way to emget/em the firmware without first configuring the camera. So, I opened up the Camera VLAN to the internet (but not the rest of my local network), and updated./p pThat process showed another poor design in the Hubble. When checking for firmware updates, the app fetches the version number from the camera. Then, it compares that to a version fetched from; over plain HTTP./p /divdiv class=rich-text__embedundefined/divdiv class=rich-text__content pIn other words, the firmware update itself is subject to a basic MITM attack, where an attacker could block further updates from being applied. At the least, this process should be over HTTPS, ideally with certificate pinning as well. Amusingly, the OTA server is configured for HTTPS, but the certificate expired the day I was writing this section./p /divdiv class=rich-text__embedundefined/divdiv class=rich-text__content pAfter the update had finished, I reset the camera to factory defaults and checked again. This time, the codesetup_wireless_save/code GET was at the least not in cleartext. However, I don#x2019;t have any trust that it#x2019;s not easily decryptable, so I#x2019;m not posting it here./p h2Evaluating Day-to-Day Security/h2 pAssuming that the WiFi password was at least secure from casual attackers, I proceeded to add firewall rules to allow traffic from the camera to the internet, so I could complete the setup process. This was a tedious process. codetcpdump/code along with the OPNSense list of #x201C;blocked traffic#x201D; was very helpful here. In the end, I had to allow:/p ulliDNS/li liNTP for time sync/li liHTTPS/li liHTTP/li liUDP traffic/li /ul pI watched the IPs and hostnames used by the camera, which were all EC2 hosted servers. The #x201C;aliases#x201D; feature in OPNSense allowed me to configure the rules by hostname, instead of dealing with constantly changing IPs. Of course, given the above security issues, I wonder how secure their DNS registrations are./p pNeeding to allow HTTP was a red flag to me. So, after the setup finished, I disabled all rules except DNS and NTP. Then, I added a rule to let my normal home LAN access the CAMERA VLAN. I could then access the camera with an RTSP viewer at the URL:/p pcodertsp://user:pass@camera-ip:6667/blinkhd//code/p pYes, the credentials actually are codeuser/code and codepass/code./p pAnd tada! It looked like I had a camera I could use with my phone or laptop, or better yet at the same time as my wife. Neat stuff!/p h2It All Falls Apart/h2 pAfter a fresh boot, everything seemed fine with the video streams. However, over a day or two, the streams would become more and more delayed, or would drop, and, eventually, I#x2019;d need to restart the camera. Wondering if this had something to do with my firewall rules, I re-enabled the HTTP, HTTPS, and UDP rules, and started watching the traffic./p pThen, my phone started to get notification spammed./p pAt this point, I#x2019;d been using the cameras for about two weeks. As soon as I re-enabled access to Hubble, my phone got notifications about movement detected by the camera. I opened the first one#x2026; and there was a picture of my daughter, up in her room, in her jammies./p pIt was in the middle of the day, and she wasn#x2019;t home./p pWhat I discovered is that the camera will save a still every time it detects movement, and buffer them locally until they can be sent. And, looking in Wireshark, I saw that the snapshots were being uploaded with an HTTP POST to codesnap.json/code without any encryption at all. Extracting the conversation, and then decoding the POST data (which was form data, not JSON!), I ended up with a picture./p pI now had proof the camera was sending video data over the public internet without any security whatsoever. I blocked all internet access, including DNS, hoping that would still let local access work. It did!/p pThen, my wife and I started hearing random beeps in the middle of the night. Eventually, I tracked it to the cameras. They would beep every 15 minutes or so, as long as they didn#x2019;t have a working internet connection. This killed the cameras for home use, as they#x2019;d wake the whole family. Worse yet, even if we decided to allow internet access, if it was down in the middle of the night (our cable provider usually does maintenance at 3AM), odds are high we#x2019;d all be woken up. I emailed Motorola support, and they said there was no way to disable the beeping, other than to completely reset the cameras and not use the WiFi feature at all./p pWe#x2019;re now happily using the cameras as #x201C;dumb#x201D; devices./p h2Security Recommendations and Next Steps/h2 pHere are some ideas I had about how Motorola could secure future cameras:/p olliThe initial setup problem could have been solved by using WPA2 on the camera. I#x2019;ve seen routers from ISPs work this way; the default credentials are unique per device, and printed on the bottom of the device. That would significantly mitigate the risk of a completely open setup process. Other devices include a Bluetooth radio for this purpose./li liUse encryption and authentication for all APIs. Of course, there are difficulties from this such as certificate management, hostname validation, and so on. However, this might be a good case where the app could validate based on a set of hardcoded properties, or accept all certificates signed by a custom CA root./li liMobile apps should validate the authenticity of the camera to prevent MITM attacks. This is a solved problem that Binatone simply hasn#x2019;t implemented./li liFollow HTTP specifications! All #x201C;write#x201D; commands for the camera API use HTTP GETs instead of POSTs. That means that proxies or other systems may inadvertently log sensitive data. And, since there#x2019;s no authentication, it opens up the API to CSRF vulnerabilities./li /ol pIn terms of recommendations to the Lullabot team, we currently recommend that any #x201C;IoT#x201D; devices be kept on completely separate networks from devices used for work. That#x2019;s usually as simple as creating a #x201C;guest#x201D; WiFi network. After this exercise, I think we#x2019;ll also recommend to treat any such devices as hostile, unless they have been proven otherwise. Remember, the #x201C;S#x201D; in #x201C;IoT#x201D; stands for #x201C;secure#x201D;./p pPersonally, I want to investigate hacking the camera firmware to remove the beeps entirely. I was able to capture the firmware from my phone (the app stores them in Android#x2019;s main storage), and since there#x2019;s no authentication, I#x2019;m guessing I could replace the beeps with silence, assuming they are WAV or MP3 files./p pIn the future, I#x2019;m hoping to find an IoT vendor with a security record that matches Apple#x2019;s, who is clearly the leader in mobile security. Until then, I#x2019;ll be sticking with dumb devices in my home./p /div/div blog: What’s new on - April 2017

Wed, 05/24/2017 - 17:20
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpsmallRead our a href= to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.small/small/small/p pimg alt=DrupalCon Baltimore logo Apr 24-28 class=right height=127 src=/files/DrupalCon-Baltimore-Logo.png width=150 //p pAt the end of April we joined the community at DrupalCon Baltimore. We met with many of you there, gave our update at the a href= board meeting/a, and hosted a panel detailing the last 6 months worth of a href= on If you weren't able to join us for this con, we hope to a href= you in Vienna/a!/p updates/h2 h3DrupalCon Vienna Full Site Launched!/h3 pimg alt=DrupalCon Vienna logo Sep 26-29 2017 class=left height=127 src=/files/vienna-banner.jpg width=150 //p pSpeaking of Vienna, in April we launched the full site for DrupalCon Vienna which will take place from September 26-29th, 2017. If you're going to join us in Europe you can a href= your hotel/a now, or a href= a session/a. Registration for the event will be opening soon!/p h3DrupalCon Nashville Announced with new DrupalCon Brand/h3 pimg alt=DrupalCon Nashville logo Apr 9-13 2018 class=right height=127 src=/files/DrupalCon-Logo.png width=250 //p pEach year at DrupalCon the location of the next conference is held as closely guarded secret; the topic of speculation, friendly bets, and web crawlers looking for 403 pages. Per tradition, at the a href= session/a we unveiled the next location for DrupalCon North America - a href=, TN/a taking place from April 9-13th in 2018. But this year there was an extra surprise./p pWe've unveiled the new brand for DrupalCon, which you will begin to see as the new consistent identity for the event from city to city and year to year. You'll still see the unique character of the city highlighted for each regional event, but with an overarching brand that creates a consistent voice for the event./p h3Starring Projects/h3 pUsers on may now a href= their favorite projects/a - making it easier to find favorite modules and themes for future projects, and giving maintainers a new dimension of feedback to judge their project's popularity. Users can find a list of the projects they've starred on the user profile. Over time we'll begin to factor the number of star's into a project's ranking in search results./p pimg alt=Starring Projects class=center src=/files/star-notify.png //p pAt the same time that we made this change, we've also added a quick configuration for managing notification settings on a per-project basis. Users can opt to be notified of all issues for a project, only issues they've followed, or no issues. While these notification options have existed for some time, this new UI makes it easier than ever to control issue notifications in your inbox./p h3Project Browsing Improvements/h3 pOne of the important functions of is to help Drupal site builders find the distributions, modules, and themes, that are the best fit for their needs. In April, we spent some time improving project browsing and discovery./p pa href= is now weighted by project usage/a so the most widely used modules for a given search phrase will be more likely to be the top result./p pWe've also added a a href= to the project browsing pages/a to allow you to filter results by the presence of a supported, stable release. This should make it easier for site builders to sort out mature modules from those still in initial development./p h3Better visual separation of Documentation Guide description and contents/h3 pimg alt=Better Documentation Guide Display class=center src=/files/doc-guide-description-display.png //p pIn a href= to user feedback/a, we've updated the visual display of Documentation Guides, to create a clearer distinction between the guide description text and the teaser text for the content within the guides./p h3Promoting hosting listings on the Download amp; Extend page/h3 pTo leverage Drupal to the fullest requires a good hosting partner, and so we've begun promoting our hosting listings on the a href= and Extend/a page. We want to provide every Drupal evaluator with all of the tools they need to achieve success—from the code itself, to professional services, to hosting, and more./p h2Composer/h2 h3Sub-tree splits of Drupal are now available/h3 pimg alt=Composer Façade class=left height=120 src=/files/styles/grid-3/public/project-images/9769826_0.png width=120 //p pFor developers using Composer to manage their projects, sub-tree splits of a href= Core/a and a href= are now available. This allows php developers to use components of Drupal in their projects, without having to depend on Drupal in its entirety./p h2DrupalCI/h2 h3Automatic Requeuing of Tests in the event of a CI Error/h3 pimg alt=DrupalCI logo class=right height=120 src=/files/styles/grid-3/public/project-images/drupalci_0.png width=120 //p pIn the past, if the DrupalCI system encountered an error when attempting to run a test, the test would simply return a CI error message, and the user who submitted the test had to manually submit a new test. These errors would also cause the issues to be marked as 'Needs work' - potentially resetting the status of an otherwise RTBC issue./p pWe have updated's integration with DrupalCI so that instead of marking issues as needs work in the event of a CI Error, will instead a href= queue a retest/a./p h3Bugfix: Only retest one environment when running automatic RTBC retests/h3 pFinally, we've fixed a a href= with the DrupalCI's automatic RTBC retest system/a. When Drupal HEAD changes, any RTBC patches are automatically retested to ensure that they still apply. It is only necessary to retest against the default or last-used test environment to ensure that the patch will work, but the automatic retests were being tested against every configured environment. We've fixed this issue, shortening queue times during a string of automatic retests and saving testing resources for the project./p p———/p pAs always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association a href=, who made it possible for us to work on these projects. In particular we want to thank:/p ullia href= Call Media/a - Renewing Supporting Partner/li lia href= Agency/a - strong*NEW*/strong Premium Supporting Partner/li lia href= - Renewing Supporting Partner/li lia href= Echidna/a - Renewing Supporting Partner/li lia href= Media/a - Renewing Supporting Partner/li lia href= Technologies/a - Renewing Supporting Partner/li lia href= - strong*NEW*/strong Signature Supporting Partner/li lia href= - strong*NEW*/strong Supporting Partner/li lia href= Consultancy Services/a - Renewing Supporting Partner/li lia href= - Renewing Technology Partner/li /ulpIf you would like to support our work as an individual or an organization, consider becoming a a href= of the Drupal Association/a./p pFollow us on Twitter for regular updates: a href=, a href= /div/div/div Drupal 6 security update for AES

Wed, 05/24/2017 - 16:30
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpemAs you may know, a href= 6 has reached End-of-Life (EOL)/a which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the a href= 6 LTS vendors/a are and we're one of them!/em/ppstrongToday, there is a Critical security release for the a href= encryption/a module./strong/pp class=p1span class=s1spanThe AES module provides an API for encrypting and decrypting data via AES. It also allows storing Drupal passwords encrypted in the database (rather than hashed) which can allow site administrators with high enough permissions to view user passwords./span/span/pp class=p1Previously, the module implemented AES poorly, such that the encryption was weakened and could have potentially made it easier for an attacker to decrypt given enough examples of the encrypted data./pp class=p1span class=s1span(/spanstrongA note about the timing of this release:/strongspan the AES module was a href= on March 1st/a, and we started working on a fix a href= away/a in the D6LTS queue. We usually release D6LTS patches the same day the D7/D8 patches are posted or two weeks after a module is unsupported, however, in this case we had only a single Enterprise customer using AES and so we worked on it according to a timeline dictated by them, which involved testing their custom modules using the AES API with their team. So, we're releasing this after it's been fully tested and deployed for our one affected customer - if more customers had been affect it would have been released same-day, as usual./spanspan)/span/span/ppHere you can download a href= Drupal 6 patch/a./ppIf you have a Drupal 6 site using the AES module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)/ppstrongIf you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please a href= out our D6LTS plans/a./strong/ppemNote: if you use the a href= module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on

Jeff Geerling's Blog: Drupal VM does Docker

Wed, 05/24/2017 - 15:57
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpimg src=// width=650 height=495 alt=Drupal VM on Docker Hub class=insert-image //p pDrupal VM has used Vagrant and (usually) VirtualBox to run Drupal infrastructure locally since its inception. But ever since Docker became 'the hot new thing' in infrastructure tooling, I've been asked when Drupal VM will convert to using Docker./p pThe answer to that question is a bit nuanced; Drupal VM has been using Docker to run its own integration tests for over a year (that's how I a href=// tests on seven different OSes using Travis CI/a). And technically, Drupal VM's core components have always been able to run inside Docker containers (most of them use Docker-based integration tests as well)./p pBut Docker usage was always an undocumented and unsupported feature of Drupal VM. But no longer—with 4.5.0, Drupal VM now supports Docker as an emexperimental/em alternative to Vagrant + VirtualBox, and you can use Drupal VM with Docker in one of two ways:/p/div/div/div

James Oakley: Meet Project Honey Pot

Wed, 05/24/2017 - 14:59
div class=field field-name-field-blog-image field-type-image field-label-hiddendiv class=field-itemsdiv class=field-item evena href=/blog/2017/05/meet_project_honey_potimg src= width=100 height=100 alt=Honey Pot title=Honey Pot //a/div/div/divdiv class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpSpam is a problem that never goes away. Email spam. Comment spam./p pThis site has long used a href=https://www.mollom.comMollom/a to protect the comment section and the contact form. They're a href= down/a on 2nd April 2018, so lots of webmasters will be looking for alternatives./p pI'd like to introduce you to Project Honey Pot./p/div/div/divdiv class=field field-name-taxonomy-vocabulary-1 field-type-taxonomy-term-reference field-label-abovediv class=field-labelBlog Category:nbsp;/divdiv class=field-itemsdiv class=field-item evena href=/blog/categories/technologyTechnology/a/divdiv class=field-item odda href=/blog/categories/drupal_planetDrupal Planet/a/div/div/div

Flocon de toile | Freelance Drupal: Render programmatically a unique field from a node or an entity with Drupal 8

Wed, 05/24/2017 - 12:00
div class=field field--name-body field--type-text-with-summary field--label-hidden field--itemIt may sometimes be necessary to render a single field of a content or entity. For example, for a simplified display of contents relating to the content consulted, the use of specific fields in other contexts, etc. Obtaining programmatically the rendering of a field may be problematic for the Drupal 8 cache invalidation system, since the resulting render array would not contain the cache tags of the source entity. Let's take a look at some solutions available to us./div Presentation: Docker Drupal for local development

Wed, 05/24/2017 - 05:23
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item evenpLast week, I presented on a href= amp; Drupal for local development at Drupal414/a, the local Drupal meetup in Milwaukee, WI./ppstrongIt included:/strong/pullia basic introduction to the why's and how's of Docker,/lilia couple live demos, and/lilithe the details of how we use Docker as our local development environment to a href= amp; maintain hundreds of Drupal sites/a here at myDropWizard/li/ulpThe presentation wasn't recorded at the time, but it was emso/em well received that I decided to record it again at my desk so I could share it with a wider audience. :-)/ppstrongHere's the video:/strong/pp/pdiv class=media-youtube-video panopoly-image-video media-element file-default media-youtube-1 iframe class=media-youtube-player width=640 height=390 title=Docker amp; Drupal for Local Development src=//;modestbranding=1 frameborder=0 allowfullscreen=Video of Docker amp;amp; Drupal for Local Development/iframe /div pem(Sorry, for the poor audio! This was recorded sort of spontaneously...)/em/ppAnd a href= are the slides/a./ppstrongPlease leave any questions or comments in the comments section below!/strong/pp/div/div/div

Drupal Bits at Web-Dev: Drupal View with Nodequeue Priority

Wed, 05/24/2017 - 04:11
div class=field field-name-body field-type-text-with-summary field-label-hiddendiv class=field-itemsdiv class=field-item even property=content:encodedpSometimes you want a View that follows the internal logic of the filters you set up on the View, but also can have some items hand selected or cultivated to the top of the View. Or perhaps the other way to describe it is a a href= View that is backfilled with some other View based logic nbsp;so that you end up with a full display regardless of how many items are actually in the Nodequeue./p pTo do this requiresnbsp;threenbsp;adjustments to the View (assuming you have already built the normal View logic based on filters that are separate from Nodequeue./p ol liMake the Nodequeue a relationship to the View./li liAdd the Nodequeu to the sort criteria./li liRestructure the filter settings to make it the Nodequeue logic OR the Filter logic./li /ol h2Example: Nodequeue View with random Backfill/h2 pLet's say you have a 3 item View that gets used to display some promoted items on your home page. nbsp;You want the View to be populated by anything in the Nodequeue and then randomly backfilled with any other item(s) that match some filter criterianbsp;if the Nodequeue does not contain three items./p p0) To start, create your View that has a maximum of 3 items and set the filter(s) to use your backfil critera (a status of published and limited to whatever entitiesnbsp;you are using) and a sort of Global: Random to randomly pick from items that meet the filter criteria./p p1) Add your Nodequeue as a relationship./p pimg alt=Add nodequeue relationship src= style=border-style:solid; border-width:1px; height:339px; margin:5px; width:691px /You want to limited to a specific Nodequeue. The relationship should not be required, or you will not have anything to backfill with./p p2) Add the Nodequeue as sort criteria to the View./p pimg alt=Nodequeue sort criteria src= style=border-style:solid; border-width:1px; height:132px; margin:5px; width:541px //p pSince we want the Nodequeue items to come first, and in order we have to set the sort order in front of the rest of the View sort criteria (which in this case is random)./p p3) Adjust the filter criteria and break it into logical sections. nbsp;The first section is the set of filters that must be applied to all items regardless of whether they are in the Nodequeue or not. (the purple region below)/p pimg alt=Nodequeue backfill filter arrangement src= style=border-style:solid; border-width:1px; height:405px; margin:5px; width:1007px //p pThen you need to create another filter group AND in this group put the items that are either the default logic OR the Nodequeue. nbsp;The default logic in this case is that audience field matches some criteria. nbsp;The trick is to set the operator within this filter group to OR./p pNow when you add, delete or rearrange items in the Nodequeue the VIew will match the order of the Nodequeue and if you don't have enough items in your que, it will backfill from other items that meet your criteria./p pnbsp;/p pstrongCaching Issues: nbsp;/strongBy default, updating a nodequeue will not cause the cache on the View to expire if the View is cached. nbsp;Ifnbsp;you need the updates to be immediately seen by anonymous users, you can implementnbsp;a hook_nodequeue_update() to clear the cache.on any changes to that nodequeue./p /div/div/div

Drupal @ Penn State: Streamlining Polymer one-page apps in Drupal

Wed, 05/24/2017 - 00:04
pOn the span class=capsELMS/span:span class=capsLN/span team, we’ve been working a lot with a href= and a href=http://webcomponents.orgwebcomponent/a based development this year. It’s our new workflow for all front-end development and we want Drupal to be the best platform for this type of development. At first, we made little elements and they were good. We stacked them together, and started integrating them into our user interfaces and polyfills made life happy./p

Chromatic: Chromatic's DrupalCon Baltimore Recap

Tue, 05/23/2017 - 20:00
img src= /pAs always, Chromatic had a great time at DrupalCon - we brought knowledge to share, and learned a lot!/p

Dries Buytaert: Acquia's next phase

Tue, 05/23/2017 - 18:08
pIn 2007, a href= Batson and I wanted to build a software company/a based on open source and Drupal. I was 29 years old then, and eager to learn how to build a business that could change the world of software, strengthen the Drupal project and help drive the future of the web./p pTom Erickson joined Acquia's board of directors with an outstanding record of scaling and leading technology companies. About a year later, after a lot of convincing, a href= agreed to become our CEO/a. At the time, Acquia was 30 people strong and we were working out of a small office in Andover, Massachusetts. Nine years later, we can count 16 of the Fortune 100 among our customers, saw our staff grow from 30 to more than 750 employees, have more than $150MM in annual revenue, and have 14 offices across 7 countries. And, importantly, Acquia has also made an undeniable impact on Drupal, as we said we would./p pI've been lucky to have had Tom as my business partner and I'm incredibly proud of what we have built together. He has been my friend, my business partner, and my professor. I learned first hand the complexities of growing an enterprise software company; from building a culture, to scaling a global team of employees, to making our customers successful./p pToday is an important day in the evolution of Acquia: /pulliTom has decided it's time for him step down as CEO, allowing him flexibility with his personal time and act more as an advisor to companies, the role that brought him to Acquia in the first place./li liWe're going to search for a new CEO for Acquia. When we find that business partner, Tom will be stepping down as CEO. After the search is completed, Tom will remain on Acquia's Board of Directors, where he can continue to help advise and guide the company./li liWe are formalizing the working relationship I've had with Tom during the past 8 years by creating an Office of the CEO. I will focus on product strategy, product development, including product architecture and Acquia's roadmap; technology partnerships and acquisitions; and company-wide hiring and staffing allocations. Tom will focus on sales and marketing, customer success and GA functions./li /ulpThe time for these changes felt right to both of us. We spent the first decade of Acquia laying down the foundation of a solid business model for going out to the market and delivering customer success with Drupal – Tom's core strengths from his long career as a technology executive. Acquia's next phase will be focused on building confidently on this foundation with more product innovation, new technology acquisitions and more strategic partnerships – my core strengths as a technologist./p pTom is leaving Acquia in a great position. This past year, the top industry analysts published very positive reviews based on their dealings with our customers. I'm proud that a href= made the most significant positive move of all vendors/a in last year's Gartner Magic Quadrant for Web Content Management and that Forrester a href= Acquia as the leader for strategy and vision/a. We increasingly find ourselves at the center of our customer's technology and digital strategies. At a time when digital experiences means more than just web content management, and data and content intelligence play an increasing role in defining success for our customers, we are well positioned for the next phase of our growth./p pI continue to love the work I do at Acquia each day. We have a passionate team of builders and dreamers, doers and makers. To the Acquia team around the world: 2017 will be a year of changes, but you have my commitment, in every way, to lead Acquia with clarity and focus./p pTo read Tom's thoughts on the transition, please a href= out his blog/a. Michael Skok, Acquia's lead investor, also covered it on a href= blog/a./p figure class=figurediv class=img no-resize style=border: 1px solid #ccc; display: inline-block img src= style=display:block alt=Tom and dries //div /figure Default Search API Sorts Per View in Drupal 7

Tue, 05/23/2017 - 17:54
pIt#39;s been a while since I#39;ve written a post here (especially, Drupal-related). But today I have something interesting to share./p pThere#39;s a module callednbsp;strongSearch API sorts/strongnbsp;(a href= thatnbsp;provides custom sorts and a global sort block for Search API. The module itself is ok, but .../p pa href= class=btnRead now/a/p

Vardot: Time to level up - Ditch Drupal 6 for the all new Drupal 8

Tue, 05/23/2017 - 17:10
a href=/blog/categories/newsNews/a span class=read-timeRead time: 4 minutes/span img typeof=foaf:Image class=img-responsive src= width=695 height=349 alt=Ditch Drupal 6 for the all new Drupal 8 title=Migrate Drupal 6 to Drupal 8 / p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Drupal 6 kicked off way back in 2008. For the time it was a major breakthrough in technology, and the platform supported many major websites including Over its lifespan Drupal 6 had more than 700 contributed modules and 600 custom themes. It boasted a nicer menu structure and an easier installation process than its predecessors, as well as improved security and a handy drag and drop menu. Drupal 6 was well ahead of its time. Now it is unsupported, outdated and frankly, old. It’s time for you and your website to move on./span/p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4a href= complete history of Drupal/a/span/p p /p h2 dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4What’s new in Drupal?/span/h2 p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Drupal 8 (released November 2015) comes with a whole set of new built-in gadgets, including mobile responsive themes, built in web services to make it an API-first CMS, improved editorial experience, /spanaccessibility, powerful multilingual tools (at last), improved performance, HTML5, and a href= SEO/a and analytics tools. With over 18 months since releasing, it has become reliably stable, secure, and ready for you to make the switch./p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Check out our /spana href= Reasons why Now is the Right Time to Move to Drupal 8/a/p p /p h2 dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Why Drupal 6 isn’t a safe bet anymore/span/h2 p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Without support from the community, Drupal 6 is going to be opened to more and more security risks. It’s modules will become outdated and unwieldy, and users will struggle to be able to get the performance they’ve come to expect with modern websites. While upgrading may seem like a daunting task, the business risks of remaining with Drupal 6 are far higher./span/p p /p h2 dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Migrations - easier than you think?/span/h2 p dir=ltrimg alt= editing title=Drupal 8 editing height=230 width=620 class=media-element file-default img-responsive typeof=Image src= //p p dir=ltr /p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Believe it or not, Drupal 8 is stacked full of migration modules and toolsets to help you move your content from one platform to another. While many of these focus simply on moving a site between completely different platform, there are some that are designed to assist with moving between versions of Drupal. Depending on how your website was developed these can be tricky to use, and can lead to many hours of rework ‘rebuilding’ your website at the other end. If your website is stacked full of custom features, you may find that stock migration modules don’t quite provide the service you need./span/p p /p h2 dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Partners in Migration/span/h2 p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4If you’re a tech-whizz with a small website and plenty of time, you might find migrating your site on your own an exciting and economically sound venture. However, Drupal has become such a user friendly platform that many of its users skillsets are in marketing, communications and social relations. If that’s you, perhaps the thought of trying to move all your web content to another platform is so daunting you’ve been carefully looking the other way while Drupal 8 was released and took the world by storm. /span/p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4With our assistance, your migration can not only be smooth and painless, but an opportunity to resolve some of those niggling website issues, and take a step forward into greater customer engagement. A shift to Drupal 8 can help you improve your conversions whilst making site maintenance easier./span/p p /p h2 dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Vardot - Drupal experts since 2011/span/h2 p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4Here at Vardot we’ve been supporting people since 2011. With our specialist team of Drupal experts we’re prepared to help migrate anything from a small two-page website, to a large scale page with multiple custom modules and integrations. Working with our team you’ll be on first name basis with our staff, and there is no shuffling between departments. /span/p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4We believe in empowering our customers and our community - by /spana href= back to the open source community/a. We promote a vibrant culture that benefits everyone involved. Working with us goes hand in hand with giving back, and you can be sure we’ll equip you with the skills and knowledge you need for the day-to-day management of your website moving forward./p p dir=ltrspan id=docs-internal-guid-afbeaf78-35ce-d8bc-9383-644566b6bec4If you have a site that needs migrating, or just a refresh, /spana href= in touch with us/a, we can’t wait to hear from you./p Tags:nbsp; a href=/blog/tags/drupal-8 typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=drupal 8/a a href=/taxonomy/term/236 typeof=skos:Concept property=rdfs:label skos:prefLabel datatype=Drupal Planet/a div class=field field-name-title-field field-type-text field-label-above clearfix div class=field-label Title:nbsp; /div div class=field-item even Time to level up - Ditch Drupal 6 for the all new Drupal 8 /div /div

Drupal core announcements: Midwest Developer Summit 2017-08-11 -- 2017-08-13 -- Register Now!

Tue, 05/23/2017 - 16:35
pimg src=/files/midwestdrupalsummit2017-horizontal.png //p pMake your plans to join us for the Drupal Midwest Developer Summit, August 11-13, on the University of Michigan campus, in Ann Arbor MI./p pa href= pa href= Register here /a /p pb The Event/bbr / Join us for 3 days this summer in Ann Arbor, Michigan, for the 2017 Midwest Drupal / For this year’s Summit, we’ll gather on the beautiful University of Michigan campus for three days of code sprints, working on issues such as porting modules and writing, updating documentation and informal presentations. We will start around 10AM and finish around 5PM each /bFood/bbr / Lunch, Coffee and Snacks will be provided each day./p pbWhat’s New This Year at MWDS?/bbr / This year, we’re adding lightning talks (more Drupal learnings!) and a social outing (more Drupal fun!)/p pbWhat’s The Same?/b/p pRelaxed, low-key sprinting and socializing with Drupal core contributors and security team members./p pb What you can expect: /b/p ulliAn opportunity to learn from Drupal core contributors and mentors, including Angie “webchick” Byron, Michael Hess, Peter Wolanin, Neil Drumm and xjm./li li Code sprints. Let’s clear out some queues! /li li Help Porting modules to Drupal 8./li li Lighting talks /li li Security issue sprints/li liDocumentation writing/li liGood food and good community. /li /ulpbLocation/b/p pAnn Arbor is about 30 minutes by car from Detroit Metro Airport. Ann Arbor is also served by / Questions? Contact a

2bits: Antibot module for Comment Spam, Alternative to Mollom End Of Life

Tue, 05/23/2017 - 14:14
div class=field field-name-body field-type-text-with-summary field-label-hidden view-mode-rssdiv class=field-itemsdiv class=field-item evenpAcquia has announced the a href= of life for Mollom/a, the a href= spam/a filtering service. /p pMollom was created by Dries Buytaert and Benjamin Schrauwen, and launched to a few beta testers (including myself) in 2007. Mollom was a href= by Acquia/a in 2012./p pThe service worked generally well, with the occasional spam comment getting through. The stated reason for stopping the service is that spammers have gotten more sophisticated, and that perhaps means that Mollom needs to try harder to keep up with the ever changing tactics. Much like computer viruses and malware, spam (email or comments) is an a href= race scenario/a. /p pThe recommended alternative by Acquia is a combination of a href= and a href= pBut there is a problem with this combinationa: reCAPTCHA, like all modules that depend on the a href= module/a, disable the page cache for any form that has CAPTCHA enabled./p pThis is due to this piece of code in captcha.module:/p div class=codeblockcode// Prevent caching of the page with CAPTCHA /// This needs to be done even if the CAPTCHA will be ommitted later:br /// other untrusted users should not get a cached page whenbr /// the current untrusted user can skip the current /drupal_page_is_cacheable(FALSE);/code/div pAnother alternative that we have been using that does not disable the page cache is a href= module./p pTo install the antibot module, you can use your git repository, or the following drush commands:/p div class=codeblockcodedrush dis mollombr /drush dl antibotbr /drush en antibot/code/div pVisit the configuration page for antibot if you want to add more forms that use the module, or disable it from other forms. The default settings work for comments, user registrations, and use logins. /p pBecause of the above mentioned arms race situation, expect spammers to come up with circumvention techniques at some point in the future, and there will be a need to use other measures, be they in antibot, or other alternatives./p /div/div/divsection class=field field-name-taxonomy-vocabulary-1 field-type-taxonomy-term-reference field-label-above view-mode-rssh2 class=field-labelContents:nbsp;/h2ul class=field-itemsli class=field-item evena href=/contents/articlesArticles/a/li/ul/sectionsection class=field field-name-taxonomy-vocabulary-2 field-type-taxonomy-term-reference field-label-above view-mode-rssh2 class=field-labelTags:nbsp;/h2ul class=field-itemsli class=field-item evena href=/tags/spamSpam/a/lili class=field-item odda href=/tags/antibotantibot/a/lili class=field-item evena href=/tags/drupal-planetDrupal Planet/a/lili class=field-item odda href=/tags/drupalDrupal/a/li/ul/section Blog: AGILEDROP: DrupalCon session about Coding and Development

Tue, 05/23/2017 - 07:13
a href= src= //a Last time, we gathered together DrupalCon Baltimore sessions about Project Management. Before that, we explored Case Studies. We promised that we will also look in some other areas. Therefore, we will this time see, which sessions were present in the area of Coding and Development. Code Standards: It's Okay to be Yourself, But Write Your Code Like Everyone Else by Alanna Burke from Chromatic In this session, attendees learned both formatting standards for their code and documentation standards, as well as some specifics for things like Twig, and object-oriented programming in Drupal 8. The… a href= MORE/a

Drupal Modules: The One Percent: Drupal Modules: The One Percent — Footermap (video tutorial)

Mon, 05/22/2017 - 18:54
span class=field field--name-title field--type-string field--label-hiddenDrupal Modules: The One Percent — Footermap (video tutorial)/span div class=field field--name-field-screenshot field--type-image field--label-hidden field__item img src= width=480 height=270 alt=Project page screenshot typeof=foaf:Image class=image-style-large //div span class=field field--name-uid field--type-entity-reference field--label-hiddenspan lang= about= typeof=schema:Person property=schema:name datatype= xml:lang=NonProfit/span/span span class=field field--name-created field--type-created field--label-hiddenMon, 05/22/2017 - 11:54/span div class=field field--name-field-episode field--type-integer field--label-inline div class=field__labelEpisode/div div class=field__item28/div /div div class=clearfix text-formatted field field--name-body field--type-text-with-summary field--label-hidden field__itempHere is where we bring awareness to Drupal modules running on less than 1% of reporting sites. Today we'll investigate Footermap, a module which renders the results expanded menus in a block./p/div

Valuebound: How to set the right expectations for project delivery?

Mon, 05/22/2017 - 18:46
pSetting a clear list of expectation to the client for a project delivery goes a long way to great client relationships. A mismatched and misunderstood project goal and target always leads to dissatisfaction among team members, account head, and all other stakeholders./p pI manage a team of a few developers who build web applications in Drupal. While working on projects with my team, I have had the chance to practice a few of the points that I have mentioned in the article. It has not only kept us on track but also kept people happy and motivated./p h2What should you do?/h2 h3Be involved from the beginning/h3 pWhen you begin a project makes sure that you and your team members are involved in the project from the beginning. There are times when the team would expand…/p

MD Systems blog: Using Commerce for a newspaper subscription shop

Mon, 05/22/2017 - 18:09
Commerce 2.x has a lot of changes in comparison to Commerce 1x. In this blogpost, we write about how those changes affected us in our project and what we did to resolve certain problems that showed up as we used Commerce 2.x for a newspaper subscription shop.

Appnovation Technologies: The Future of Drupal

Mon, 05/22/2017 - 18:04
The Future of Drupal *Cross-posted from Millwood Online.  Over the past month there has been a lot of focus on Drupal, the community. More recently it seems people are back to thinking about the software. Dave Hall and David Hernandez both posted eye opening posts with thoughts and ideas of what needs doing and how we can more forward. A one line summary of those posts would be ...