Newsfeeds

Matt Glaman: DrupalCon: friends, family & fun in Nashville

Planet Drupal - 17 April 2018 - 7:00pm
DrupalCon: friends, family & fun in Nashville mglaman Tue, 04/17/2018 - 21:00

DrupalCon is always something I look forward to, ever since attending my first one at DrupalCon Los Angeles 2015. As I wrote over a week ago, I drove down from Wisconsin with my wife and two boys to Nashville. We came down for the weekend before and stayed for the weekend after to do some touristing and vacationing. I tried to write one blog about DrupalCon but realized I couldn't really condense everything I had to say. So I plan on pushing out a few post-Nashville blogs.

Categories: Drupal

Tandem's Drupal Blog: Tandem Named Leading Drupal Developer

Planet Drupal - 17 April 2018 - 5:00pm
April 18, 2018 Clutch has named Tandem one of the leading Drupal development agencies in SF for 2018. Last month, the B2B ratings and reviews platform Clutch named the top San Francisco agencies and developers in 2018. We are proud to announce that Tandem was recognized for our expertise and made the list! While we have experience with a variety...
Categories: Drupal

A Dead Man’s Guide to Dragongrin: 5E Campaign Setting Guide Up On Kickstarter

Tabletop Gaming News - 17 April 2018 - 3:00pm
A Dead Man’s Guide to Dragongrin is more than just a setting book. With those, you get some history, some maps, and some NPCs. This one really looks to help the GM along with building the world as well as just pointing things out. Instead of having to shoehorn your game into the setting, the […]
Categories: Game Theory & Design

Kitchen Rush: Piece of Cake Expansion Up On Kickstarter

Tabletop Gaming News - 17 April 2018 - 2:00pm
You’ve had your appetizer, soup, and main course. But I hope you’ve left some room for dessert! That’s where you’re headed with Kitchen Rush: Piece of Cake, the new expansion from Artipia Games. It introduces dessert orders, as well as fruit and creme ingredients, plus the special ice cream scoop token. You can find it […]
Categories: Game Theory & Design

Rebel Minis Releases Missions of Tomorrow Book

Tabletop Gaming News - 17 April 2018 - 1:00pm
Missions of Tomorrow is the new expansion book for the Future Tales game. As one would expect, it brings in even more sci-fi themes for when you’re playing and making your character. Like what? Well, how about some new attributes? Or maybe you’d like some cyborg action? Want to make your games less pulpy and […]
Categories: Game Theory & Design

Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

Dries Buytaert - 17 April 2018 - 12:51pm

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.



The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet and you are not on a protected platform then assume your site is compromised. Rebuild your host, reinstall Drupal from a backup taken before the vulnerability was announced and upgrade before putting the site back online. (Update: restoring a Drupal site from backup may not be sufficient as some of the exploits reinstall themselves from crontab. You should assume the whole host is compromised.)

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class — from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

This image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.
Categories: Drupal

Dries Buytaert: Acquia blocks 500,000 attack attempts for SA-CORE-2018-002

Planet Drupal - 17 April 2018 - 12:51pm

On March 28th, the Drupal Security Team released a bug fix for a critical security vulnerability, named SA-CORE-2018-002. Over the past week, various exploits have been identified, as attackers have attempted to compromise unpatched Drupal sites. Hackers continue to try to exploit this vulnerability, and Acquia's own security team has observed more than 100,000 attacks a day.

The SA-CORE-2018-002 security vulnerability is highly critical; it allows an unauthenticated attacker to perform remote code execution on most Drupal installations. When the Drupal Security Team made the security patch available, there were no publicly known exploits or attacks against SA-CORE-2018-002.

That changed six days ago, after Checkpoint Research provided a detailed explanation of the SA-CORE-2018-002 security bug, in addition to step-by-step instructions that explain how to exploit the vulnerability. A few hours after Checkpoint Research's blog post, Vitalii Rudnykh, a Russian security researcher, shared a proof-of-concept exploit on GitHub. Later that day, Acquia's own security team began to witness attempted attacks.

The article by Checkpoint Research and Rudnykh's proof-of-concept code have spawned numerous exploits, which are written in different programming languages such as Ruby, Bash, Python and more. As a result, the number of attacks have grown significantly over the past few days.

Fortunately, Acquia deployed a platform level mitigation for all Acquia Cloud customers one hour after the Drupal Security Team made the SA-CORE-2018-002 release available on March 28th. Over the past week, Acquia has observed over 500,000 attacks from more than 3,000 different IP addresses across our fleet of servers and customer base. To the best of our knowledge, every attempted exploitation of an Acquia customer has failed.



The scale and the severity of this attack suggests that if you failed to upgrade your Drupal sites, or your site is not supported by Acquia Cloud or another trusted vendor that provides platform level fixes, the chances of your site being hacked are very high. If you haven't upgraded your site yet, we recommend you do so as soon as possible, in addition to verifying that you haven't been compromised.

Drupal's responsible disclosure policy

It's important to keep in mind that all software has security bugs, and fortunately for Drupal, critical security bugs are rare. It's been nearly four years since the Drupal Security Team published a security release for Drupal core that is this critical.

What matters is how software projects or software vendors deal with security bugs. The Drupal Security Team follows a "coordinated disclosure policy": issues remain private until there is a published fix. A public announcement is made when the threat has been addressed and a secure version of Drupal core is also available. Even when a bug fix is made available, the Drupal Security Team is very thoughtful with its communication. The team is careful to withhold as many details about the vulnerability as possible to make it difficult for hackers to create an exploit, and to buy Drupal site owners as much time as possible to upgrade. In this case, Drupal site owners had two weeks before the first public exploits appeared.

Historically, many proprietary CMS vendors have executed a different approach, and don't always disclose security bugs. Instead, they often fix bugs silently. In this scenario, secrecy might sound like a good idea; it prevents sites from being hacked and it avoids bad PR. However, hiding vulnerabilities provides a false sense of security, which can make matters much worse. This approach also functions under the assumption that hackers can't find security problems on their own. They can, and when they do, even more sites are at risk of being compromised.

Drupal's approach to security is best-in-class — from fixing the bug, testing the solution, providing advance notice, coordinating the release, being thoughtful not to over communicate too many details, being available for press inquiries, and repeatedly reminding everyone to upgrade.

Acquia's platform level fix

In addition to the Drupal Security Team's responsible disclosure policy, Acquia's own security team has been closely monitoring attempted attacks on our infrastructure. Following the release of the Checkpoint Research article, Acquia has tracked the origin of the 500,000 attempted attacks:

This image captures the geographic distribution of SA-CORE-2018-002 attacks against Acquia's customers. The number denoted in each bubble is the total number of attacks that came from that location.

To date, over 50 percent of the attempted attacks Acquia has witnessed originate from the Ukraine:

At Acquia, we provide customers with automatic security patching of both infrastructure and Drupal code, in addition to platform level fixes for security bugs. Our commitment to keeping our customers safe is reflected in our push to release a platform level fix one hour after the Drupal Security Team made SA-CORE-2018-002 available. This mitigation covered all customers with Acquia Cloud Free, Acquia Cloud Professional, Acquia Cloud Enterprise, and Acquia Cloud Site Factory applications; giving our customers peace of mind while they upgraded their Drupal sites, with or without our help. This means that when attempted exploits and attacks first appeared in the wild, Acquia's customers were safe. As a best practice, Acquia always recommends that customers upgrade to the latest secure version of Drupal core, in addition to platform mitigations.

This blog post was co-authored by Dries Buytaert and Cash Williams.
Categories: Drupal

Eye for an Eye launches on Kickstarter April 24th

Tabletop Gaming News - 17 April 2018 - 12:00pm
“Downtime” is a term in gaming that refers to when a player has little to nothing to do. It’s your opponent’s turn and you just kinda gotta sit there while they make their decisions and play their cards and roll their dice. Too much downtime and you can find yourself getting up to go get […]
Categories: Game Theory & Design

Exploring the rise and eventual fall of Xbox's early teenage hackers

Social/Online Games - Gamasutra - 17 April 2018 - 11:41am

"As much as I consciously made the decisions I did, I never meant for it to get as bad as it did," one hacker, David Pokora, told Wired for an in-depth story about his group's actions. ...

Categories: Game Theory & Design

Podcast Radio

Tabletop Gaming News - 17 April 2018 - 11:00am
Welcome back to Tuesday. We’ve got the work-week off and running, so let’s hit our full stride and keep things going until we get back to the weekend. To help out, we’ve got our regular batch of podcasts for you to listen to, you know, instead of Nina in corporate accounts (payable). This week we […]
Categories: Game Theory & Design

Closest Zip Code

New Drupal Modules - 17 April 2018 - 10:47am

A Drupal 8 module which allows you get a closest zip code to another zip code. An API is provided, but no user interface.

Usage Step 1: Install as you would any Drupal module: drush dl closest_zip_code Step 2: Try it!

Let's say you are at zipcode 78376, and you have three locations, 78629, 01343 and 99919, and you want know which is closest, run:

Categories: Drupal

Sponsored: Join this free live webinar on cross-platform multiplayer game dev!

Social/Online Games - Gamasutra - 17 April 2018 - 10:07am

In this free webinar, join AWS and Amazon GameLift and learn how to support cross-platform play for your multiplayer game. Register now! ...

Categories: Game Theory & Design

DGS Games will release the Varkraalan Truthseeker on May 15th

Tabletop Gaming News - 17 April 2018 - 10:00am
A new mini will soon be making its way to the tables of Freeblades, and just about anyone can use it. The Varkraalan Truthseeker is a new ally that will be recruitable by just about anyone, but also a faction model for the Kuzaarik. As you can see from the headline, you’ll be able to […]
Categories: Game Theory & Design

Acquia Environment Config

New Drupal Modules - 17 April 2018 - 9:17am

Allows per-environment configuration settings on the Acquia Cloud servers.

Based on a module by Andrew Larcombe - Environment Config.

Categories: Drupal

Fabled Environments Releases Buccaneer: Through Hell and High Water Setting Book

Tabletop Gaming News - 17 April 2018 - 9:00am
Yarr arr yarr! I loddie the hotpants! Fabled Environments has released their new book, Buccaneer: Through Hell and High Water, for the Savage Worlds system. It is filled with rules to bring the Golden Age of Piracy to your tabletop. Raid coastal settlements, engage in dangerous boarding actions, fight legendary sea creatures, all while trying […]
Categories: Game Theory & Design

Web Wash: Differentiate Websites using Environment Indicator in Drupal 8

Planet Drupal - 17 April 2018 - 8:00am

As a web developer, you probably build your sites first in a local environment (aka localhost), then you commit all your changes to a staging server (i.e. an online server to which only you or the development team has access) and if everything works fine in the staging server, you’ll commit these changes to a production or live server (that’s your online site).

However, you don’t have a way to differentiate between your local, your staging and your production environments apart from the address box of your browser, so it’s very easy to mix up everything and that could lead to complications. The worst case scenario is making changes directly to your live site without testing and breaking it. In order to prevent this, you can use the Environment Indicator module.

The Environment Indicator module adds a visual hint to your site, that way you’ll always be aware of the environment you’re working on. We’re going to cover installation and usage of this module in this tutorial.

Let’s start!

Categories: Drupal

Drinking Buddies Drinking Card Game Up On Kickstarter

Tabletop Gaming News - 17 April 2018 - 8:00am
Gamers and booze. They tend to go together like, well… games and dice. Though this game doesn’t use dice. It uses cards. And it uses booze. And it uses gamers. It’s Drinking Buddies, and it’s a new drinking card game that’s up on Kickstarter now. From the campaign: Drinking Buddies is a thinking game for […]
Categories: Game Theory & Design

Fantasy Flight Games Previews the Regions and NPCs in Realms of Terrinoth

Tabletop Gaming News - 17 April 2018 - 7:00am
Game worlds are not just right where the PCs are. There’s all manner of things going on all over. And when the players go to new locations, the GM has to be ready for what the terrain is like, what the map shows, and some people who live there. That’s what we get a look […]
Categories: Game Theory & Design

Well Played: Designing Countermoves in PvP Games - by Jiajun (Jeremy) Liu

Gamasutra.com Blogs - 17 April 2018 - 6:26am
As game designers, how do we encourage players to play better and longer in our games? One effective way is to design countermoves— emergent solution to specific problems.
Categories: Game Theory & Design

Pages

Subscribe to As If Productions aggregator