Planet Drupal

Subscribe to Planet Drupal feed - aggregated feeds in category Planet Drupal
Updated: 18 hours 59 min ago

Freelock : Building a Membership site in Drupal 8

17 July 2017 - 11:02am

Memberships are not all the same. Some memberships last a lifetime, others last a year, or a month. Some memberships are for an individual, others for a couple, others for an entire family.

Some memberships are for a particular time period -- the 2017 season, the 2017/18 school year, Summer -- others are for a particular length of time starting when you purchase it.

Drupal 8Drupal PlanetMembershipCustom DevelopmentCRM
Categories: Drupal

Comic Relief Technology Blog: Pattern Lab — the beauty of a shared styling library

17 July 2017 - 9:11am
For those who aren’t familiar with the concept of Pattern-Lab (or a Pattern Library), it’s essentially a living style guide; a common tool in… Read More
Categories: Drupal

Mediacurrent: Comparing Drupal and Sitecore, Part 2 of 2

17 July 2017 - 9:00am

This is Part 2 of 2 of my Drupal vs Sitecore blog series. In the first part, I've compared the two from the perspectives of content authoring, marketing, and business. In this part, I look at the two platforms from an IT and community perspective. I also need to repeat my disclaimer that I'm a long-time Drupalist, but in this blog post I endeavor to be even-minded and objective.

Categories: Drupal

CiviCRM Blog: Developing with CiviCRM Entity and the Drupal API

17 July 2017 - 8:23am

If you are a Drupal developer coming new to CiviCRM, it can be a bit of a "culture shock" to realize that CiviCRM is not your typical Drupal module.

CiviCRM has a separate and independent evolution and ecosystem, and its standard practices and APIs reflect that. From installation of the module itself, to creating customizations and modifications of its standard behavior, you are entering into a different "world" when you implement and develop client solutions with CiviCRM.

CiviCRM Entity can help a Drupal developer make the transistion by enabling them to use some of the standard Drupal API features they have grown accustommed to, while still providing insight into the data structures and interconnections of CiviCRM.

For people who spend the majority of their time developing in CiviCRM, it can feel the same way, in reverse. For all-day CiviCRM developers, CiviCRM Entity can be an opportunity to better leverage your Drupal CMS for customizations and new features.  So this introduction to Developing with CiviCRM Entity and the Drupal API is for you too.

How's it work?

The premise behind CiviCRM Entity is really quite simple, though its ramications are profound. What CiviCRM Entity does is automate the process of exposing CiviCRM API entities and actions as Drupal entity types. Basically a Drupal entity type is the standard Drupal data model for a database table.  You map metadata to columns, and this provides one consistent way to store, retrieve, and manipulate database table data for Drupal Core and the entire ecosystem of contributed modules that can go with it. Because CiviCRM does not by itself engage its data with Drupal's Entity API, the majority of Drupal modules are not aware of CiviCRM's data and cannot act on it.

CiviCRM Entity implements all the necessay hooks to define the CiviCRM data as Drupal entity types.  It registers the entity types with hook_entity_info(), sets up the metadata with a hook_entity_property_info_alter() implementation, and extends the default Entity API objects and controllers.  Inside the controller responsible for load, save, and delete, instead of using Drupal's standard PDO SQL query operations, CiviCRM API calls are used.  This makes CiviCRM Entity a "remote entity" module, but specifically designed to work with CiviCRM only. 

This bit alone does the most important thing. It makes Drupal think CiviCRM data is Drupal data.  You can attach Drupal fields, to CiviCRM data.  You can use Drupal's entity_metadata_wrapper. All the rest of the code in the module and its submodules dealing with specific integration enhancements is just gravy.

Using the metadata wrapper, we built up one bit of Drupal Form API code, that woks with all the entities, and provides Drupal standard CRUD forms. Now you got Manage Fields and Manage Display pages for each entity type. Now the Rules module will play nice. Now Drupal developers can build cool custom stuff, using their familar tools.

Entity Field Query

EntityFieldQuery is Drupal 7's standard programmatic way to query the database tables exposed as entities. So let's say we want to find all the Home location type addresses for a particular contact. If there are results there will be an array with key of the entity type name containing objects keyed by id.

$contact_id = 3099; $query = new EntityFieldQuery(); $address_ids = $query->entityCondition('entity_type', 'civicrm_address') ->propertyCondition('contact_id', $contact_id) ->propertyCondition('location_type_id', 1) ->execute(); if (!empty($address_ids['civicrm_address'])) { // do something } Load Drupal Entity objects

Following the example above, we have a query result, and now want to load the entity objects.

if (!empty($address_ids['civicrm_address'])) { // entity_load returns an array of entity objects keyed by id $address_entities = entity_load('civicrm_address', array_keys($address_ids['civicrm_address'])); // maybe you just want the individual entity objects... foreach ($address_ids['civicrm_address'] as $id => $result) { $address_entity = entity_load_single('civicrm_address', $id); // get the city of the address $city = $address_entity->city; } } Saving entities

Now lets make sure our city in our address has every word capitolized, and save the address. The data as you see it in the CiviCRM admin backend will immediately reflect the changes.

$address_entity->city = ucwords($address_entity->city); entity_save('civicrm_address', $address_entity); Deleting Entities

If you want to delete an entity, you can use entity_delete().  Remember that these functions eventually get to the controller, which is a wrapper around CiviCRM API calls.  This matters especially for contacts, because by default deleting contacts sends them to the CiviCRM "trash", instead of completely deleting them.

entity_delete('civicrm_address', $address_entity->id); The Entity Metadata Wrapper 

If you start getting serious about programmatically manipulating entities, you want to start using the Entity Metadata Wrapper. This object encapsulates all these operations in an object oriented way.  It becomes especially useful when you are manipulating multi-lingual fields. It also can use entity level validation based on the entity metadata for each property of the entity type.  I would encourage its use in favor of manipulating the entity object directly, or using the entity_X functions. The code is much more readable and easier to write, and with validation it is much safer. There is a great article about the benefits of the wrapper which goes into detail.

You can pass the entity_metadata_wrapper function the entity object, or simply the id of the entity, and it will lazy load the object. If all you have is the id to start, no need to load the entity object first.

$address_wrapper = entity_metadata_wrapper('civicrm_address', $address_id); $city = $address_wrapper->city->value(); if($address_wrapper->city->validate(ucwords($city))) { $address_wrapper->city = ucwords($city); $address_wrapper->save(); } // get the updated entity object $updated_address_entity = $address_wrapper->value(); // nevermind, lets just delete the entity $address_wrapper->delete(); Custom Rules Action Example

A very practical use case of using the Drupal API for CiviCRM is creating custom Rules conditions or actions. Lets say we want to encapsulate this logic of automatically making the city of an address have uppercase words.  We may want to encapuslate functionality like this and pass it on to our site builders or clients who can use it when they need it. Once you find out how easy it is to create custom Rules actions, you'll have a powerful tool in your toolbox. There's lots of documentation on the web for doing this. 

Lets put this in a little module, I'm calling it civicrm_custom. Create a directory in your sites/all/modules directory named civicrm_custom

To read the rest of the article, and to get the code to build the Rules action, visit the blog.

Categories: Drupal

Mediacurrent: Mediacurrent's Drupal Theme Generator

17 July 2017 - 7:55am

In a fast moving industry like ours, it is imperative that we have tools that allow us to build environments (front and back-end), quickly, while providing consistency all across. The same way we have DevOps processes for quickly spinning off a complete Drupal built with composer, drush, Drupal console and more, we need a system that automates the process of creating Drupal themes which include all the essential tools needed for a modern, best practices and standards compliant environment.

Categories: Drupal

Acquia Developer Center Blog: Building an Open Source Photo Gallery with Face and Object Recognition (Part 1)

17 July 2017 - 7:28am

In this two-part series of blog posts, I'm going to show you how we built a Drupal 8 photo gallery site, integrated with Amazon S3, Rekognition, and Lambda to automatically detect faces (allowing us to automatically identify names!) and objects found in our photos.

Tags: acquia drupal planet
Categories: Drupal

Mark Shropshire: Drupal Camp Asheville 2017 Presentation

16 July 2017 - 8:39pm

What an honor it was to be selected to present at Drupal Camp Asheville again! This event just gets better and better each year. I want to thank the organizers, volunteers, attendees, and sponsors for making it so awesome!

Below you will find the video for my talk, slide deck, and related git repo for:

"Live Demo: How to Create a Winning Website with Drupal Best Practice".

Git repo:

Blog Category: 
Categories: Drupal

Jeff Geerling's Blog: DrupalCamp St. Louis 2017 Keynote announcement: Adam Bergstein

16 July 2017 - 7:07pm

(It's not too late to submit a session—and register for DrupalCamp soon, since early bird pricing ends on August 1!)

The organizers behind DrupalCamp St. Louis 2017 are happy to announce we have a speaker scheduled to present the Keynote, Adam Bergstein—Associate Director of Engineering at CivicActions!

Adam's Keynote is titled "Restoring Our Lost Information", and here's a short summary:

Categories: Drupal Drupal Developer's blog: Drupal Camp Kyiv 2017

15 July 2017 - 11:44am

On 10-11 of June in Kyiv there was an annual all-Ukrainian event - Drupal Camp Kyiv 2017. This is a place where experienced back-end, front-end developers, DevOps and managers share their knowledge. Traditionally Drupal Camp took place in two days: a conference day which includes 5 streams of presentations and code sprint where passionate developers can work together for improving Drupal and developing community. A few interesting statistics about this year’s event: 403 attendees, 5 streams of lectures, 42 speaker, 10+ international speakers, 70+ code sprint participants and 100+ patches made during code sprint.
Read more »
Categories: Drupal

Chapter Three: How to implement simple AMP support in Drupal 8

14 July 2017 - 8:41pm

Adding AMP support could be very tricky and complex depending on your project needs. In this blog post I won't be using AMP module. Instead I created something more simple and easier to use for simple AMP integration. The Simple AMP module is still using Lullabot's AMP PHP library. The module is a starter module and most likely won't be very useful out of the box, but it can get you going very fast. It is available for download here

First thing you need to do is to install composer require lullabot/amp, the module won't work without this library.

Once you install the module modify few lines of code in the module:

Categories: Drupal

Valuebound: How to Schedule Automated Tasks in Drupal with Cron?

14 July 2017 - 7:57am

Cron, A daemon/background process that runs at periodic intervals of time. It can be run periodically at pre-decided times and intervals. To describe in real time, I have met with a case where i have to fetch the content from a site, where new content might be created everyday and create it on my site. To handle this, i have created a cron job, configured it to run everyday at specific time let’s say at 05.00 AM. So whenever the cron runs, I have written a script to fetch the content that is created on that day and creating on my site. All this is achieved using the cron in Drupal.

Cron is a utility which executes commands at set intervals known as "cron jobs".
According to “A "cron job" is a time-triggered action that is usually (and most…

Categories: Drupal

Anubavam Blog: 10 best practices for implementing the Drupal coding standards

14 July 2017 - 6:18am
10 best practices for implementing the Drupal coding standards

Learn about the Drupal community coding standards and best practices that every Drupal developer should care whenever writing the code for Drupal. If you are truly committed to Drupal, then you should guarantee the code you contribute back be standards compliant. Here are ten of the best practices for implementing Drupal coding standards:

1. Spacing and Tabbing

  • Use double space (not tab, yes both are different) for indentation 
  • Often, the IDE/Editor that we use for Drupal development aggravates this issue as most of the IDE is configured to use tab for every line-break.
  • Press ensure that it aligns the cursor to the same indent as previous line with tabbing that caused this indentation issue.

2. Code comments

  • Check this link below for Drupal comment standards ( Comments are generally defined and used to state what the following line of code or block of code is doing and why we are writing the logic that way if it needs explanation for any future Drupal developer.
  • Three types of comments can be used in Drupal, Single line commenting (starts with //), Multi-line commenting (starts with /*) and Doxygen commenting (starts with /**).
  • Single line commenting and Doxygen commenting has a wide following in Drupal. Even for the comments with more than a line, it is handled with repeat use of single line commenting. The following example shows the usage pattern:

         // The first line of the comment goes here.
        // Some other comment here.
        // Some more comments here.
        // This saves the $node object and creates/updates the node

  • Comments are strictly not to be used to invalidate the code, which means you can’t use the comments to comment-out some set of code that you think are not needed. 
  • If you think some block of code is not really needed, just remove them instead of commenting-it-out. 
  • Sometimes you might find, the block of code that may be needed in future but not needed right now. In such instances, you can invalidate the code by placing those unwanted code in the condition like mentioned below.

         if (0) {
         // Some big logic goes here
        // that are not needed in this release for production

  • The above code gets invalidated, that is will not be executed ever as the condition "if (0)" always returns "FALSE", So the block of code inside that condition will not be executed.

3. Naming the function and variables

  • PHP was just procedural at the time of initial Drupal release. So all the coding standard in Drupal follows as such. That means all the function and variables should follow snake  case structure (as of Drupal7), which means variable names should start with small-letter words and underscore should be used to connect the words if the variable is going to contain multiple words. ($snake_case)
  • With the release of Drupal 8, the naming of variables and functions can also be used using camelCase structure, which means variable names should start with small-letter words with uppercase initials for the connective words in case of multi-word variable. (Eg. $camelCase)
  • In either way, we need to follow only one case throughout the file.
  • What we forget is, we mix cases (camelCase and snake_case) sometimes. This should be avoided. Sometimes we define functions without grouping of the function name. In Drupal, all the functions inside a module should be prefixed with the module name, which is called grouping of the function. This helps in avoiding the name conflicts between modules.

4. Uppercase variables

  • According to Drupal coding standard, UPPERCASE variables are considered as constants whether it's PHP constants (TRUE, FALSE, NULL) or Drupal constants (Eg: LANGUAGE_NONE).
  • Sometimes in order to stress the importance of variables, we name the variables in uppercase. This should be avoided.

5. Operator and logical statements

  •  We often forget to leave a space before and after the usage of operator (Eg. if(arg(0)=='node')). According to the Drupal coding standards, all the operators should have single space before and after the operator (Eg. if (arg(0) == 'node')).
  •  Use single space before the start curly braces. The opening curly should be on the same line as the opening statement, guided by single space. The closing curly brace should be on the end of the block and indented to the same level as the opening statement.

6. Line length and Wrapping

  • In general, all lines of code should be no longer than 80 characters. However, there are exceptions to the character limit for the variable and function name that are quite longer when correctly indented.
  • We often wrap the condition of the control statement for readability. Drupal coding standard encourages us to split the multiple conditions and evaluate each complex conditions into a variable and use that in the control statement for better readability.

7. Module placement

As far as Drupal 7 is considered, all the contributed modules should be grouped under the directory called "contrib" in "/sites/all/modules", whereas the custom modules should go inside "/sites/all/modules/custom". In Drupal 8, the same can be followed or utilize the "/module" directory and use the same grouping of the  modules.

8. Writing Javascript

  • Always use Drupal behavior for your custom scripts which runs every time there is change in DOM elements unlike the traditional jQuery.ready which runs only once during the page execution when the DOM elements are ready.

9. Placeholders for translate function t()

  • Use the placeholders for dynamic strings used inside t() function.
  • Generally t() function is used to translate the given strings, sometimes we might use the dynamic strings inside t() function by concatenating the values, which is the not the best practice formulated by Drupal.


  • return t('@username, welcome to my website', array('@username' => $account->name));

10. Module file

  • Use the module file only for Drupal hooks and some commonly used custom functions that you need frequently. 
  • Use .inc file to define menu callbacks and other helper functions that are not needed to be defined in module file.

If we all code to standards, Drupal will be a stronger, more performant, more secure platform. Drupal will continue to grow and strengthen it’s community due to the quality of it’s codebase. Anubavam has been building Drupal sites and providing services such as Drupal 8 upgrade and migration services, Drupal E-commerce development services, and more. Anubavam is participating in Drupal core development since 2006 and has delivered 250+ projects to 100+ happy clients in 22 countries worldwide.

admin Fri, 07/14/2017 - 09:18 Drupal developer Drupal Application Development
Categories: Drupal

Droptica: Droptica: How we made friends with Codeception and Drupal

14 July 2017 - 4:26am
Taking into consideration the fact that most of our products are based on Drupal, the tests should also naturally work best with such projects. This is why we decided to complement the standard functionality of Codeception with some new modules dedicated for Drupal. As in our previous article, all examples listed below will be based on a project based on docker-console, which is why we encourage everybody to read the previous articles first if you didn’t do so yet. If you already have your Codeception project and just want to slightly modify it so that it works better with Drupal, this article is also for you.
Categories: Drupal

FFW Agency: A Shopping Cart is Not an eCommerce Solution

14 July 2017 - 2:28am
A Shopping Cart is Not an eCommerce Solution Ray Saltini Fri, 07/14/2017 - 09:28

I teach Drupal. A lot. Often when I talk about Drupal I talk about how some people never leave their comfort zone to learn new things. Sometimes I make wise cracks about Flash or ColdFusion. Everyone gets the joke. Soon I'll be joking about standalone shopping carts. I think most people will get that joke too.

It's not that many shopping cart services aren't good. In fact, many are excellent. eCommerce is one of the more mature areas of the internet - after all - selling things is what catapulted the web into prominence and it all happened in the shopping cart. But eCommerce is much more challenging now and to be competitive in today's market businesses need much more than a tool that takes their client's money.

Businesses need to think in terms of Digital Experience Platforms or DXP's.

Questions and Answers

Why is eCommerce so much more complicated?

I once had the soon to be president of Black and Decker stress to me one of the most important questions in business: "What is our product and how do we bring it to market?" he said.

While those are still arguably the most important questions, we understand there are more that need to be asked and answered. Consider the following list.

How can we bring…

  • the right product or service…
  • to the right customers…
  • at the right time…
  • at the right place…
  • in the right condition…
  • in the right quantity…
  • at the right price?

To be competitive in today's retail environment you've got to be able to answer these questions for both online and walk-in customers.

Now answer these:

  • Does your shopping cart help you answer these questions?
  • Does your website help you answer these questions?
  • Do any of your sales channels help you answer these questions?

If you answered yes to any of them, congrats. Now ask:

  • How much are you paying for answers?
  • How much are you failing to earn because you don't have good answers?

Finally ask yourself this set of questions:

  • Do my tools help me flatten my business process or streamline my organization: this should include everything from your supply chain to your sales operations.
  • Do your tools just help you keep your head above water?
  • How much overhead do they add to your business process?
It's the Content, and the Experience

The good news is the answers to many of the market questions are out there for anyone who is able to generate high value content, collect data and turn it into useful information. While that is a huge complex equation it can be answered by the right tools and right decisions. The answers to the questions driving today's markets are in the content and the consumption of that content. The more, better, easily consumed, engaging, provocative content you make and manage the better your answers to your most critical market questions.

I think this simple smart observation about the importance of content published in Forbes by Melissa Pitts way back in 2012 still rings true.

With so much of our lives spent online, it's more important than ever to remember the wisdom expressed in Cluetrain. In case you've forgotten or never read it, it is is still some of the best, most common sense marketing truth out there today.

"Markets are conversations," the now famous line from the 1999 manifesto reads.

Newsflash: shopping carts don't manage content and they don't spark communities or conversations. Digital Experience Platforms start conversations. Think about how Facebook has evolved into an ecommerce powerhouse. Think about all the conversations going on within Amazon - 'Hello Alexa!'

Ask yourself one final question: Does my shopping cart spark conversations?

I have no clue why so many eRetailers still rely so heavily on such limited tools for supporting their eCommerce. I do know they risk being the butt of jokes soon enough.

Repeat after me: 'A Shopping Cart is Not an eCommerce Solution and an eCommerce Solution is not a Digital Experience Platform.'

If you and your organization understand these critical concepts then you are on the right track.

The Only Smart eCommerce Solution is a Digital Experience Solution

Implementing a full fledged DXP solution will help you answer these market questions and much more. Most eCommerce 'solutions' are just shopping carts with a few bells and whistles that fall far short of the DXP mark especially when they can cost you upwards of $15K per year just to access. Shopping cart solutions just don't deliver.

At FFW we work with Drupal extensively. We started working with it because it was a great CMS. With the release of Drupal 8 it's an even better application platform and we continue to work with Drupal and invest in its future because it can be used to build innovative, integrated solutions that drive adoption across organizations and affinities. Drupal helps our clients gather tremendous amounts of data and then turn it into useful information. Drupal helps us deliver content and then harvest information about the visitors that consume that content. That helps us make the right match between consumers, products and services. That is the essence of a great Digital Experience Platform. And that is what helps our clients start to answer the questions that begin with, 'How can we bring the right product or service to market.'

You don't have to take our word for it. Read what the analysts are saying.

In future installments of this blog I'll discuss how Drupal as a Digital Experience Platform can help you engage communities in conversations about their needs and interests and how your message about your product or service can be conveyed authentically. I'll also talk about how it supports critical established trends like omni channel marketing and commerce everywhere. We'll look at how you can use Drupal to flatten your business process and bring your sales team closer to customers.

For more on topics like this and other digital solutions take a look at FFW's special training programs that will give your organization the competitive edge it needs to compete.

Tagged with
Categories: Drupal

Lullabot: Eight Reasons Why Security Matters for Distributed Agencies

13 July 2017 - 5:08pm

As I was doing my deep dive into an IoT camera, a question came up: why does it matter? Sure, any given device might not be secure, but how does that affect employees or our business?

I’m glad you asked!

1. Consumer Routers Are Mostly Garbage

Every home internet connection needs a router and some sort of WiFi network. Otherwise, you’re stuck connecting a single device directly to a cable or DSL modem. Unfortunately, most routers have poor security. The CIA has used home router exploits for at least the past 10 years, and odds are good that non-state actors have been too.

  1. In general, router security is not a selling point, and the lowest-cost routers are the bulk of the market.
  2. In order to reduce costs, routers usually use older hardware, WiFi chipsets, and ship with Linux. Since the WiFi drivers are often proprietary and out of the kernel tree, even new devices often ship with an ancient version of Linux. That means that your shiny new router (like the recently released Netgear Nighthawk X10) might ship with a kernel from half a decade ago (according to their GPL code release), missing security improvements since then [1].
  3. Very few routers offer automatic updates, so even if manufacturers provided comprehensive security updates they would be ignored by the majority of users.

Sometimes, ISPs give or require home users to use routers provided by them, but they have a poor security track record too. In one instance, a router’s DNS settings could be changed, which would let an attacker redirect traffic to servers of their choice.

Why does this matter? In the end, every single bit of internet traffic goes through your router. If an attacker wants to sniff unencrypted traffic, or attempt to downgrade an encrypted connection, this is the place to do it. Your router should be the most secure device on your network, and instead it’s likely the least secure.

Our security team recommends to our employees that their overall security starts with their router.

Try to find devices that offer some sort of automatic update and vendors with a good security record. Consider running an open-source router distribution like pfSense, OPNSense, or OpenWRT that makes it easier to keep up to date. Don’t trust your ISP’s equipment unless they’ve shown they are security conscious.

2. Home Networks Have Untrusted Devices

If you have a family at home, odds are you’ve given out your WiFi password. After all, you want kids or guests to be able to access WiFi when they need it. But, have you checked those devices to make sure they’re secure? What are the odds that the laptop your kid’s friend brought over to do homework on has some sort of virus on it? Or, that your babysitter’s old unpatched Galaxy phone is infected with a rootkit? You wouldn’t want these devices plugged in at work, and they shouldn’t be on the same network as your work devices either.

The easiest way to handle untrusted devices is to use the “guest network” functionality in your WiFi access point.

Usually, these networks limit traffic between devices, and only allow them to communicate out to the internet. Many access points allow multiple guest networks, so you could separate “mostly trusted” devices from “patient zero infection vector” devices [2].

3. Security Includes Privacy Too

Imagine that after reading the previous point, you go out and setup a perfectly secure and segmented network. Then, a grandparent gives your kids internet connected teddy bears. Great! You put them on the kid’s WiFi network, and rest knowing that your work data is secure.

Until you realize that they left the toy in your office, and you had conference calls with enterprise clients talking about unannounced products, and that the teddy bear was uploading all recorded audio to an unprotected database.

One of the best parts of working from home is being able to create your own space, or multiple spaces to work in. But, in sharing that home, you open yourself up to potential leaks and vulnerabilities. Of course, in the above hypothetical, the odds of an attacker combing through those voice recordings and finding something useful is small. Then again, what if your contracts require client notification in the case of a suspected breach? Even if the real risk is small, the impact on your reputation could be huge.

Treat your client data like your personal photo collection, your home budget, or your medical records.

Think not just about ways you can be directly hacked, but about ways data can be intercepted, and how you can limit those vulnerabilities.

4. IoT Devices Punch Holes By Design

What is it that every IoT device markets as being the most important feature? Usually, it’s some combination of “cloud,” “app,” and “integration.” If it’s a security camera, the marketing will almost always show some picture of a person out travelling, viewing their kids at home. Door locks alerting you when they are unlocked. A thermostat detecting you driving home, and starting to warm up the house.

In other words, these devices need to have a two-way connection to the Internet—they need to send statuses out to the cloud, and receive commands from your phone or the cloud. That means they’ve opened a hole through your router.

It might be a surprise, but while your home router is probably the most important security device on your network, they all include methods for devices and applications to open up your network to the Internet—without any sort of authorization or controls. uPNP and NAT-PMP are the most common protocols for this. STUN is also used as it works even if uPNP and NAT-PMP are disabled on the router.

No matter how they do it, IoT devices for the home place accessibility over security almost universally. That is a fundamental conflict with many agency (and customer!) priorities, making every single IoT device employees own a potential threat to your operations.

Prefer “smart” devices that work without an internet connection, or use a separate network entirely such as Zigbee.

As well, disable uPNP and NAT-PMP on your routers, and use a stateful firewall instead of relying on NAT to protect your home network.

5. Hacked Devices Put Private Networks At Risk

I’m sure many are thinking, “it’s OK, we require the use of a VPN for all of our work.” That’s fine, and certainly a good practice. It stops direct attacks on your private services from the broader Internet, and ensures employee’s connections can’t be sniffed by malicious devices at home.

Or… does it?

Ask yourself: how many VPNs do you have for client work that use self-signed SSL certificates? How many intranet sites require you to click through and ignore HTTPS warnings in your browser? How many of your critical domains use DNSSEC? How many client devices are validating DNSSEC signatures?

What prevents a hacked “smart” electrical plug from hacking a router in turn, and then redirecting traffic from there? How likely are you to notice that the self-signed VPN certificate has changed?

VPNs are great, but they’re only a start. The connection process is still vulnerable to attack by other devices on the network. Ignore best practices in but one layer of the system, and the whole thing becomes vulnerable. All because that WiFi thermostat was on sale for $29.99.

Don’t rely on VPNs as the sole method to protect your company.

Make sure all employees are aware of the risks that come with using work resources and VPNs at home, and that they understand the trust that comes with VPN access.

6. Agencies Are Great Targets

How many different clients do you work with today? How many have you worked with in the last year? How many access credentials do you have “on ice,” that are active, but not in daily use?

Imagine a hacker is trying to gain access to an enterprise’s network or data. What’s easier: hacking their well monitored and well-staffed corporate networks, or hacking a remote employee or agency protected by a mere consumer-grade router? And, if the target is not a specific company, but simply a company in a given vertical, agencies are perfect victims. At least, if the agency doesn’t consider security in a holistic and comprehensive manner.

Don’t fall into the “we’re too small to hack” trap.

Just as smart devices might be used as a vector to hack your laptop, your small agency might be used as a vector to hack a client.

7. Enterprises are Great Targets, Too

Ok, so agencies are great targets for hacks, and we should all just give up.

Well, enterprises don’t always have great security either. I’ve worked with companies with hundreds of thousands of employees, who don’t have SSL on a single intranet site. I’ve also seen companies with APIs that have zero authentication, allowing unauthenticated POST requests to modify business critical data. Or, AWS root keys left in cleartext on company wikis or source code.

As agencies, we’re often hired to set the standard for our client’s teams. That means, when we see an SSL certificate fail, we click cancel and call support instead of forcing it through. We use best practices for APIs like request signing instead of plaintext passwords. We change passwords we see posted in Slack, and remind the team to use something like LastPass or GnuPG instead.

But, to do this effectively, we need to have our own security house in order. We need to not just communicate the best practices, but live them ourselves, so we can know we aren’t leading clients towards an unusable and burdensome set of restrictions.

Bake good security practices into how you work with clients.

Follow the same security practices with your own teams, so when you make suggestions to clients you come from a place of experience.

8. The Internet Is A Community

In the Drupal world, we’re always telling our clients how being a part of the community is the best way to build sites efficiently. A hacked web server doesn’t just affect our client’s and their users—it affects other, innocent users online. A server taking part in a DDoS might not be noticeable at all to the server admins—but the other end of the attack is having a very bad day.

For digital agencies, our livelihoods depend on a functional and reliable internet. If we ignore security in the name of hitting our next deadline, we hurt the commons we all need to thrive.

Think about the downstream effects of a security breach.

Remember that the bulk of hacks these days aren’t about data exfiltration, but computing resources for DDoS attacks or spam. Be aware of the common resources your company has (hosting, email, domains, websites) that may be valuable to attackers in their own right simply because they can be used in other attacks.

Technical Notes

[1] I compared their source to the upstream LTS 3.10.105 release, which showed that CVE-2016-3070 was patched in August in commit af110cc4b24250faafd4f3b9879cf51e350d7799. It doesn’t appear that fix is shipped with the Netgear router. It’s possible the fix isn’t required for this hardware, but do we really trust that they’ve done their due diligence for every single patch? It’s a much better practice to apply all security patches, instead of selectively deploying them. Even if they’ve backported security patches, the Linux kernel itself has added significant security features since then, such as Live patching, write-only protection to data, and merges from the grsecurity project.

[2] Another solution is to implement multiple “virtual networks” or VLANs with firewall rules to control traffic. Combined with a managed switch and appropriate access points, you can “tag” traffic to different networks. For example, let’s say you have a Chromecast you want to be able to use from both your work laptop and from phones guests have. A VLAN would let you create three networks (devices, work, and guest), and add rules that allow traffic from “work” and “guest to send traffic to “devices”, but not the other way around. Likewise, “work” could open a connection to a “guest” device, but “guests” wouldn’t initiate a connection to a “work” device. Obviously this requires some learning to set up, but is great for flexibility if you have more than just the simple “guest” scenario.

Header image is Broken Rusty Lock: Security (grunge) by Nick Carter.

Categories: Drupal

Mediacurrent: Introducing the YAML Content Module

13 July 2017 - 6:52am

I always look forward to DrupalCon each year for a number of reasons. One of the reasons chief among them is the refreshing excitement of being immersed in the community. I always enjoy the encouragement and guidance our community offers. A number of the conversations I had during DrupalCon offered this same encouragement and guidance to push forward with a public release of a module I've been working on and maintaining privately. Following up on this advice, I'd like to proudly introduce my new module: YAML Content.

Categories: Drupal

Abhishek Lal | GSoC Blog: Examples for Developer #5 Week of Coding

13 July 2017 - 5:40am
Examples for Developer #5 Week of Coding Abhishek Lal B Thu, 07/13/2017 - 18:10
Categories: Drupal Blog: AGILEDROP: Travel and Holiday sites on Drupal

13 July 2017 - 12:40am
As we like to point out, it is summer time and some of you will still go on a vacation. You will rest and gain more energy to later begin with new challenges. It's up to you to decide how you would like to spend your free time. Will you travel or just lay on the beach? Be it either way, you can help yourself with this holiday and travel sites, made on Drupal. There are many exotic places on earth to visit and one is definitely Fiji. It's true that all the flights to the island are long, with the closest one from New Zealand lasts three hours, but the island has a lot to offer. So in order… READ MORE
Categories: Drupal

PreviousNext: Introduction to Drupal Patch Files

12 July 2017 - 9:06pm

I recently joined PreviousNext and was soon getting acquainted with contributing to Drupal core and contrib projects. A big part of the contribution workflow is working with patch files in the issue queue, so I wrote this post to help anyone who wants to know about patching in Drupal.

Categories: Drupal

Boby Aloysius Johnson | GSoC Blog: Major Planning -- week 6

12 July 2017 - 8:18pm
Major Planning -- week 6 boaloysius Wed, 07/12/2017 - 23:18



It is the sixth week of Google Summer of Code 2017. We were engaged in creating an abstraction for using ml-engine with Drupal. The core functions like file upload, ml-engine training jobs, deployment and prediction services etc were created during the first month of GSoC. Please refer the link for the code. This week started with few basic lessons on tensorflow. I continued the search to find the official collection of pre-trained tensorflow models. It didn't find any new result. I have posted three questions in Stack Overflow. One to find the pre-trained models, streaming data to Google Cloud Storage, and the other to know if ml-engine supports all types of tensorflow models.

To use multiple ml-engine projects simultaneously, we need to create a content entity. We propose to store ml-engine configurations as entity base fields and Tensorflow python code inputs as bundle fields. In the below-shown figure, there are few base fields for training and deployment.



This is the sketch of ml-engine entity. It has three parts. Training part includes determining the fields required for tensorflow code and ml-engine configuration. Users are given the scope to select fields custom to their tensorflow code. Deployment part has base fields to set its configuration. Prediction part is for selecting the prediction output data type.
 figure 2 User creates their new projects through this interface. Each project is having its own set of training and deployment jobs.
 figure 3 

Fields can be created to match the input requirement of the tensorflow code. The referred Drupal View will be converted to corresponding CSV file. All referenced files will be uploaded to Google Cloud and will be replaced with the URL. This provides a great flexibility on data types by creating an abstraction layer for the input.


figure 4 

The output corresponding to each model can vary depending on the design of the model. To provide an abstraction, we provide the option to select the returned data types for each project. For example, the response will be encoded as an integer if the selected type is an integer. If it is an image, the returned binary will be written to a jpg file and added to Drupal. For classification, the user will be able to select class corresponding to each index. This can provide a good level of abstraction in handling the prediction output. If needed users extend this module to add more data types. 



figure 5:  

Finally, to do prediction we have to select its field types. Below we have two screenshots showing how we match data to these fields.


figure 6: To map data to a field, we have to go to the node settings and select the ml-engine project. Now go to field settings > edit. 


figure 7:

Select the ml-engine prediction input field and we are done. Similar to the option to match prediction input field, this page will have a checkbox to match the prediction output. If checked, predictions made are stored in this field when the node is saved.


In the coming week, we will be working on implementing this design.

Categories: Drupal