LATEST FROM OUR BLOG

Take your daily dose of (only) relevant news, useful tips and tricks and valuable how to's on using the latest web technologies shaping the digital landscape. We're here to do all the necessary information sifting for you, so you don't have to, to provide you with content that will help you anticipate the emerging trends about to influence the web.

How to Create and Manage a Content Workflow in Drupal 8: Either a Standard or a Custom One
"A Drupal 8 initiative to improve Drupal's content workflow", this is how Dries Buytaert first defined the Workflow Initiative, back in 2016. Now, coming back to 2018, you must be asking yourself a legitimate question: “How do I set up a content workflow in Drupal 8?” “How do I manage, extend and customize an editorial workflow to fit my Drupal 8 website's publishing needs? One including multiple users, with different permissions, that manages the workflow status of... different content types.” Which are the (not so) new content management features and functionality implemented to Drupal core by now? Those aimed at improving the user experience (editors, content authors...)?   Let's get you some answers:   1. Introducing: The Content Moderation Drupal 8 Module Content Moderation has reached stable version in Drupal 8.5.  Why should you care? What makes this core module of critical importance for creating your content publication workflow?   because otherwise, you'd have only two built-in states to “juggle with”: published and unpublished because it enables you to build a simple workflow for drafts, too … to set up new custom editorial workflows, as well, in addition to the default one   In short, what this module does is that it enables you to create a flexible content workflow process where:   one of the editors in your team stags a “Draft” content and another user on your Drupal 8 website, with a different permission, reviews/updates it   It comes as a powerful tool for you to leverage when your workflow needs are more complex than “ON/OFF”.   2. How to Set Up a Simple Content Workflow in Drupal 8 You'll only need 2 modules for putting together the workflow for a basic content publishing scenario:   Workflows, that will provide just the framework needed for managing the states and transitions included in the process Content Moderation, which will add the “Draft” state, a “Draft to Published” content workflow, and an admin view for handling all the drafts   And here's setting up a basic content publishing workflow in 4 simple steps:   Enable the “Content Moderation” core module Go to “Configuration” and click the “Workflow” tab; it's the last one in the unfolding drop-down menu Open the “Workflows” page Tada! You've just turned on your default “Editorial workflow”   For now, you should be having 3 major states in your workflow:   draft published archived   Note: use permissions to grant content contributors the right to edit/create drafts, editors the “Transition drafts to published” permission, admins the right to “restore to draft transitions” and so on... And voila! Your default editorial workflow, with the Content Moderation module ON, should suit your basic state tracking needs. It should fit any standard use case. Now, if your workflow needs are a bit more complex and website-specific... keep on reading:   3. Content Revisions in Drupal 8 One of the most powerful features that Content Moderation will “turbocharge” your editorial workflow with is:  Saving each change as a content revision in the database.  It stores all revisions in the system. But let's take a common scenario, shall we? Let's say that a second editor decides to make an update to a piece of content (either a content type or a custom block type). He/she updates it, then saves it as a “Draft”. You'll then still have the published version of the content, that's live, on your Drupal website, as well as this Draft (or several of them), stored, as a revision, in your database. A crucial functionality for any complex content publishing workflow:   with content revisions, you get to keep track of who's updated what and when … to trigger log messages regarding those changes, informing other content authors that a given content has been edited and you can also revert to the oldest revisions if needed   4. How to Extend and Customize Your Content Publishing Workflow  Rest assured: there's no need for custom code writing, even if your content publishing needs are a bit more complex. Here's what it takes to extend and to custom-tune your default content workflow in Drupal 8:   While on your “Workflow” page, just click the “Add a new state” button and add more workflow states: “Needs Review” or “Second Review” etc. Next, make sure you adjust your transitions to support your newly added state(s). For instance, a “Second Review” state would require a “Move to Second Review” transition.  Then, apply your extended workflow to either a specific content type or to a custom block type You can also create new separate content publishing workflows to have a different one for your press releases, a separate publishing workflow, an editorial workflow for your blog posts, a warehouse workflow etc.   Defining multiple workflows in Drupal 8, each one with its specific “ecosystem” of states and transitions, is now possible. Notes: the transitions in your workflow will stand for the permissions that you'll assign to different Drupal roles in your team use clear, descriptive verbs to name them remember to grant editors the permission to undo transitions, as well (they might need to revert a piece of content to “Needs Work” once they've reviewed it, for instance) In short: By defining multiple states for your piece of content (Published, Pending Review, Ready for Review, Ready for Second Review, Unpublished, Draft etc.) and managing the permissions corresponding to the state transitions you can build a content workflow in Drupal 8 capable to support even the most complex publishing scenarios. Now, another common scenario where a custom content workflow in Drupal 8 is needed is when you have a website publishing content to multiple platforms.  You have a Drupal 8 website, a native application and an internal portal, let's say... Your publishing workflow would look something like this:   first, content gets moderated to be published on the front-facing Drupal website then, it gets put in the queue for review before it gets published (or declined) on each one of the other 2 platforms   Note: if you need to further extend your editorial workflow and to apply it to a custom entity, for example, you can always write a WorkflowType plugin that meets your specific needs. Then, you can apply your custom workflow to... steps in ordering in a resto app, steps in a manufacturing process and to pretty much any entity (think beyond content) that needs to change its workflow states...   5. How Do You Know If You Really Need an Editorial Workflow? Do you really need to use content moderation? To set up a whole workflow for your publishing scenario? You do, if and only if:   there are multiple content authors uploading content on your website, content that needs to be reviewed before it gets published you're managing a team of multiple admins, with different user roles each moderator knows his/her role in the publishing chain   But if the content authors in your team have the very same type of permission as the admins and they just push content through, a content moderation workflow is useless. It would only slow down the publishing process. So, just because you have the option to set up a content workflow in Drupal 8, doesn't mean that you should rush to implement it on your own website, too... Maybe you just don't need a workflow. The END!  What do you think about these content management capabilities in Drupal 8? Are they powerful and diverse enough to suit your workflow needs?  ... Read more
Adriana Cacoveanu / Nov 14'2018
AI vs Machine Learning: Is AI Different from Machine Learning? Or Are They the Same Thing?
AI, AR, VR, ML, DL... AR vs Machine Learning: is there a difference between these 2 technologies? Which one(s)? Or do these 2 acronyms refer to the very same tech? Keeping up with which tech does what, with parsing the differences between all the fancy 2-letter acronyms emerging these days becomes increasingly challenging. Especially when the terms are often used interchangeably, like artificial intelligence and machine learning. Now that's frustrating: how could you possibly distinguish a clear-cut demarcation line between such a broad concept and “catch-all” term as AI (or “machine intelligence”) and machine learning? Time to shed some light here:   1. What Is Artificial Intelligence? A more than succinct, yet descriptive enough definition would go something like this: The capability of a machine to perform tasks that require human intelligence. And here I'm referring to tasks such as:   recognizing images/voices understanding languages, translating planning problem-solving learning   In short: once a computer system reaches a level where it understands, analyzes, tells the difference between objects and makes decisions all by itself — based on understood criteria —  then we can already talk about artificial (or machine) intelligence.  Now, a more detailed definition of artificial intelligence would be: The theory and development of machines that mimic intelligent human behavior. That carry out tasks requiring human intelligence, in a more human-like way: they can reflect, make decisions, interact with humans and perform different complex tasks.   2. AI: Types and Applications We couldn't talk about a complete and accurate “AI vs machine learning” analysis without focusing on the artificial intelligence typology and its specific applications. Therefore, you should know that AI comes in two different “flavors”:   2.1. General AI It involves broader applications: A machine that learns to perform a wide range of complex tasks (that require human intelligence) and gains the ability to solve various problems in a human-like way. Therefore, being broader in scope, general AI is harder to achieve than the “applied AI” alternative: In fact, we don't yet have systems or devices capable to successfully handle any task that a human being can. That type of machine capable to mimic the human brain, to understand, interpret, respond to various stimuli...   2.2. Applied AI (or “Vertical” or “Weak” or “Narrow”) Defining the applied or “weak” AI is crucial for properly identifying the clear-cut differences between AI and machine learning: It's that type of artificial intelligence — of “smart” system — that addresses a specific need. That focuses on handling one single predefined task (e.g. personalizing ads or trading stocks). But maybe a few examples would be more appropriate for you to grasp the full meaning of applied AI:   LinkedIn messaging Netflix recommendations Spotify discovery mode Siri   3. AI vs Machine Learning: What Is Machine Learning More Precisely? First of all, we should make it clear that: Machine learning is a subset of artificial intelligence. And if we are to detail this statement a bit: Machine learning is that subcategory of AI that uses statistical techniques to identify patterns of repetition in databases. Once properly trained, it can analyze loads and loads of data sets, predict accurate outputs and sort new inputs all by itself (e.g. voice search). For instance, after going through huge volumes of customer data, it can recommend the most appropriate products, based on online shoppers' past choices and search history. Or it can trigger certain functionalities of a software based on a particular user's voice.  “But what do you mean by “training” a machine learning?” Here, I'm referring to “neural networks”. Basically, for each machine learning there's a neuronal network programmer (or a team of them) who builds these networks for training and learning. And what he does more precisely is choose specific factors of importance to determine the outcome of a given situation. And they keep “polishing” and further adjusting these factors (or “weighs”) in the outcome until the network reaches the proper result according to the given input. Once the machine learning reaches that level where it's capable to understand and to adjust the factors of importance on its own, to deliver accurate results (in real-time), it will keep improving itself. It will keep “learning” how to deliver more and more accurate results without any human intervention. In short: you “feed” the algorithm with huge volumes of data and it will then learn, adjust itself and continuously evolve when it comes to determining the most accurate outcome of a situation. Just think:   image recognition voice recognition   Now, in an AI vs machine learning debate, one where we're trying to identify the differences between the two concepts, we can say that: Artificial intelligence is the broad concept, whereas machine learning is the technology powering much of the development in the AI field. That machine learning is a type of AI that learns — while getting fed huge amounts of data  — and improves all by itself.  With no human intervention to keep “telling” it which is the matching rule between new inputs and the most probable outputs.   4. In Conclusion... What better way of ending this comparative analysis of the two terms/techs then by pinpointing the main differences between AI and machine learning in a shortlist?  Therefore, here it goes:   while machine learning can exist without AI, the latter can not exist without ML (the main reason behind the confusion when using these terms and why their definitions are often interchanged) once a machine can make a choice or any decision on its own, once it can spot the difference between 2 items, it grows into AI; then, there's more than machine learning technology that's being leveraged there   The END!  Is it clearer for you now which is the key difference between the two concepts? Where precisely you should draw the demarcation line between these 2 technologies? ... Read more
Adriana Cacoveanu / Nov 12'2018
The Drupal 8 Layout Builder Module: How It Revolutionizes Content Layout Creation in Drupal
What's your favorite tool for creating content layouts in Drupal? Paragraphs, Display Suite, Panelizer or maybe Panels? Or CKEditor styles & templates? How about the much talked about and yet still experimental Drupal 8 Layout Builder module? Have you "played” with it yet? As Drupal site builders, we all agree that a good page layout builder should be:   flexible; it should empower you to easily and fully customize every single node/content item on your website (not just blocks) intuitive, super easy to use (unlike "Paragraphs", for instance, where building a complex "layout", then attempting to move something within it, turns into a major challenge)   And it's precisely these 2 features that stand for the key goals of the Layout Initiative for Drupal:  To turn the resulting module into that user-friendly, powerful and empowering page builder that all Drupal site builders had been expecting. Now, let's see how the module manages to “check” these must-have strengths off the list. And why it revolutionizes the way we put together pages, how we create, customize and further edit layouts. How we build websites in Drupal...   1. The Context: A Good Page Builder Was (Desperately) Needed in Drupal It had been a shared opinion in the open source community: A good page builder was needed in Drupal. For, even if we had a toolbox full of content layout creation tools, none of them was “the One”. That flexible, easy to use, “all-features-in-one” website builder that would enable us to:   build complex pages, carrying a lot of mixed content, quick and easy (with no coding expertise) fully customize every little content item on our websites and not just entire blocks of content site-wide easily edit each content layout by dragging and dropping images, video content, multiple columns of text and so on, the way we want to   Therefore, the Drupal 8 Layout Builder module was launched! And it's been moved to core upon the release of Drupal 8.6. Although it still wears its “experimental, do no use on production sites!” type of “warning tag”, the module has already leveled up from an “alpha” to a more “beta” phase. With a more stable architecture now, in Drupal 8.6, significant improvements and a highly intuitive UI (combined with Drupal's well-known content management features) it stands all the chances to turn into a powerful website builder. That great page builder that the whole Drupal community had been “craving” for.   2. The Drupal 8 Layout Builder Module: Quick Overview First of all, we should get one thing straight: The Drupal 8.6. Layout Builder module is Panelizer in core! What does it do? It enables you, the Drupal site builder, to configure layouts on different sections on your website. From selecting a predefined layout to adding new blocks, managing the display, swapping the content elements and so on, creating content layouts in Drupal is as (fun and) intuitive as putting Lego pieces together. Also, the “content hierarchy” is more than logical:   you have multiple content sections you get to choose a predefined layout or a custom-design one for each section you can place your blocks of choice (field blocks, custom blocks) within that selected layout   Note: moving blocks from one section to another is unexpectedly easy when using Layout Builder!   3. Configuring the Layout of a Content Type on Your Website Now, let's imagine the Drupal 8 Layout Module “in action”. But first, I should point out that there are 2 ways that you could use it:   to create and edit a layout for every content type on your Drupal website to create and edit a layout for specific, individual nodes/ pieces of content   It's the first use case of the module that we'll focus on for the moment. So, first things first: in order to use it, there are some modules that you should enable — Layout Builder and Layout Discovery. Also, remember to install the Layout Library, as well! Next, let's delve into the steps required for configuring your content type's (“Article”, let's say) display:   go to Admin > Structure > Content types > Article > Manage Display hit the “Manage layout” button   … and you'll instantly access the layout page for the content type in question (in our case, “Article”). It's there that you can configure your content type's layout, which is made of:   sections of content (display in 1,2, 3... columns and other content elements) display blocks: tabs, page title... fields: tags, body, title   While you're on that screen... get as creative as you want:   choose a predefined layout for your section —  “Add section” —  from the Settings tab opening up on the right side of the screen add some blocks —  “Add block”; you'll then notice the “Configure” and “Remove” options “neighboring” each block drag and drop the layout elements, arranging them to your liking; then you can click on either “Save Layout” or “Cancel Layout” to save or cancel your layout configuration   And since we're highly visual creatures, here, you may want to have a look at this Drupal 8 Layout Builder tutorial made by Lee Rowlands, one of the core contributors. In short: this page builder tool enables you to customize the layout of your content to your liking. Put together multiple sections — each one with its own different layout —  and build website pages, carrying mixed content and multiple layouts, that fit your design requirements exactly.   4. Configuring and Fully Customizing the Layout of a Specific Node... This second use case of the Drupal 8 Layout Builder module makes it perfect for building landing pages. Now, here's how you use it for customizing a single content type:   go to Structure>Content types (choose a specific content type) click “Manage display” on the drop-down menu  then click the “Allow each content item to have its layout customized” checkbox and hit “Save”   Next, just:   click the “Content” tab in your admin panel choose that particular article that you'd like to customize click the “Layout” tab   … and you'll then access the very same layout builder UI. The only difference is that now you're about to customize the display of one particular article only. Note: basically, each piece of content has its own “Layout” tab that allows you to add sections, to choose layouts.  Each content item becomes fully customizable when using Drupal 8 Layout Builder.   5. The Drupal 8.6. Layout Builder vs Paragraphs “Why not do everything in Paragraphs?" has been the shared opinion in the Drupal community for a long time. And yet, since the Layout Builder tool was launched, the Paragraphs “supremacy” has started to lose ground. Here's why:   the Layout builder enables you to customize every fieldable entity's layout it makes combining multiple sections of content on a page and moving blocks around as easy as... moving around Lego pieces    By comparison, just try to move... anything within a complex layout using Paragraphs:   you'll either need to keep your fingers crossed so that everything lands in the right place once you've dragged and dropped your blocks or... rebuild the whole page layout from scratch   The END! What do you think:   Does Drupal 8 Layout Builder stand the chance to compete with WordPress' popular page builders? To “dethrone” Paragraphs and become THAT page layout builder that we've all been expected for? Or do you think there's still plenty of work ahead to turn it into that content layout builder we've all been looking forward to? ... Read more
RADU SIMILEANU / Nov 02'2018
Can LastPass Just Block Your Account and Withhold Your Passwords? Yes! Here Is What They Have Put Us Through
What if you lose your LastPass master password? Then you're doomed... You'll lose your password vault for good. But hey, you can still to lose all your sensitive data even if you don't forget that crucial password! I mean, if it has already happened to us... Apparently, there's no guarantee that one day, for no reason, LastPass won't:   lock you out of your account and block your access for... mere fun keep advising you to use their recovery password form… one that doesn't work and that you had already tried, several times, with no success keep suggesting that you're some sort of a "liar", insisting that you had, in fact, changed your master password and that's why you can't log in now keep giving you a "suicidal" advice: delete your account and open a new one, even if this means losing all your data refuse to allow you to retrieve the data that you stored in your "old" account to export it to that new account they keep insisting to create refuse to refund you the money you had paid, in advance, for a service that apparently doesn't serve your needs: it keeps you blocked out and puts a garnishment on your passwords   So, just beware of which company you choose to trust with your sensitive data! Their "The last password you'll ever need" slogan might just turn into: "The last password you'll ever have". For once they block you, you'll be left with... none.  But let's rewind and go back to the day when it all started. Little did we expect for it to turn into our worst-ever scenario, considering that we had been happy LastPass users since... 2009.   1. It Started Like Just Another Ordinary Log In to Our LastPass Account... But —  surprise, surprise — we couldn't sign in. And our master password was the same old one: we did NOT forget it! I mean, we had been LastPass users for almost 10 years': We were fully aware of what would happen if we ever lost that priceless password! So, we jumped straight to their “Recover Account” form, which brutally served us the following message: And it was about that time that things started to go wrong. When the “ordinary” slowly turned into... extraordinary: An extraordinarily bad experience with the LastPass support team.   2. When in Trouble, Contact LastPass Support and... Start a Deaf Dialogue This is where our deaf dialogue with lovely Michelle from LastPass's support team started. And it was such a nice and fruitful chat that we had there! I let her know that, by some mysterious reasons, that day, from all the other days in the previous 9 years, I couldn't access our account. Nor could I use their recovery account system for... it didn't work. Lovely Michelle either:   suggested that I was lying when I told her about my attempts to use their recovery account form understood everything just too well, but she had a script to follow, so she decided to ignore parts of my message thought she was dealing with some a retarded person    … and told me that, in fact, I had managed, somehow, to change my master password. Then she kindly advised me to... go through their recovery account steps. Even though I had told her I already had done that. But, who was I to come in between her and the script she had to follow blindly? And then came her somehow “suicidal” advice for us, the OPTASY team, one of the loyal LastPass customers: To delete my current account (for which I had already paid in advance) and create a new one! Just like that!   3. News Alert! LastPass Can Block You Out and Withhold Your Stored Data For that's what happens when they advise you to delete your account and “start over”: Your password vault goes... down the drain or gets stuck in their cloud, no matter how you want to look at it. Here's a tricky question for you: What would be a worse scenario for you?    To lose all the passwords that you've trusted LastPass with? To lose all your passwords with no guarantee that no one else can access them later on?   And here's charming Michelle's brutally honest answer to my legitimate question(s): “What's gonna happen with all the records in our OLD account? How can we import them into the new one?” And that reply just... sent cold shivers down our spines...   4. Being Punished Without Fault: No Refund and No Chance to Export Our Data Now, you do guess that it was about then that we reached the climax of our conversation with the LastPass support team (aka Michelle). And so, masochistically enough, we dared to pop up another question: “If you're not able to help me reset the password, please let me know how can I export all the data from my old account and refund the money I paid in advance.” The answer was a... slap in the face, like the previous ones: To sum up now:   locked out from our LastPass account, after several years left to somehow make their not-working “recovery account system”... work for us forced to keep trying it over and over again given just one option: to create a new account and lose all our passwords (and the money paid in advance, as well)   Can you imagine that we trusted LastPass for years?  And that we ended up getting treated like this? With no fault.   5. Their Invariable Response? To Start Over and Knowingly Lose All Passwords Needless to add that I kept on explaining to the LastPass support that in vain did they point out to the recovery steps to take: I had already taken them, even before I had even contacted them in the first place. With zero success... I claimed back the money we had paid in advance for their password manager service, as well as the possibility to export our password to that new account that they insisted that we should set up. Michelle's answer: The END! No happy ending, though, to this story of our terrible experience with LastPass. Who would have thought that all these years we were trusting them with our most valuable data! And that one day they'd just... kick us out and withhold precisely that sensitive data with:   no fault from our side no clear explanation on their side So, just beware, be informed, be skeptical about trusting LastPass... ... Read more
Adriana Cacoveanu / Oct 12'2018
Can I Trust LastPass with My Passwords? No! Our Unexpectedly Bad Experience with Them
“Trust LastPass at your own risk!” would be our answer. One based both on:   this password manager's own “beefy” record of critical security vulnerabilities, cross-site scripting bugs, breaches and major architectural issues our bad experience with LastPass, as a client   And before we dig into the heavy load of evidence that we base our “case” on, allow us to expose some of their former clients' testimonials:   “I lost my entire LastPass passwords in March 2017. It was a disaster for me. I have had LastPass since the beginning, can you imagine all the passwords saved over the years? I think you should do some research on LastPass and the changes, the bad changes that have happened with LastPass” (Barbara's comment, 5 Best LastPass Alternatives to Manage Your Passwords)   “About a month ago when I tried to log in to LastPass I got the message that I had entered the wrong vault password - but I can assure you that nor I, nor my cat has changed it... When I contacted LastPass, they in a rude manner "taught" me that what I hadn't experienced what I had in fact had experienced, since it is "impossible", and their "help" consisted in giving me the clue to the main password to LastPass - i.e. the password, which I explained to them isn't valid anymore... “ (Robert's comment, You Should Probably Stop Using LastPass Temporarily) “Around a month ago I switched from LastPass to Bitwarden as my password manager. To make sure my passwords were protected I deleted my LastPass account, now I get an email asking me to renew my subscription for my DELETED LastPass account. I wonder what else they stored about me... “ (user/dumah310, LastPass storing email from deleted account) 1. But First: How Does LastPass Work? In plain language: LastPass stores your encrypted passwords (and secure notes) in the cloud and secures them via a master password. And the “master password” is both the strength and the main vulnerability of this password management service. Now before I back up the above statement with our own experience with LastPass, here's an excerpt of an “enlightening” HackerNews post: “Users must also devise a “master password” to retrieve the encrypted passwords stored by the password management software. This “master password” is a weak point. If the “master password” is exposed, or there is a slight possibility of potential exposure, confidence in the passwords are lost.“ 2. 5 Security Vulnerabilities Over the Last 7 Years... and Still Counting “How secure is LastPass from being hacked?” I'll leave it to you to evaluate it while going through its “impressive” record of security flaws and vulnerabilities reached over the last years:   2.1. In 2011 a Cross-Site Scripting Vulnerability Was Detected   In February 2011 Mike Cardwell, a security researcher, tracked down an XSS bug on the company's website. Once “exploited”, this vulnerability could basically enable attackers to steal:   hashed passwords the list of websites that users log into (along with the IP addresses, time and dates of their logins) their email addresses underlying cryptographic salts   LastPass fixed that bug within hours.   2.2. That Same Year A Second “Likely” Security Breach Was Identified Later on that year, in May, the company's team spotted a new “anomaly” in both their incoming and outgoing network traffic. Therefore, suspicions arose that a hacker might have accessed their servers. What kind of risks did this “abnormal activity” entail? Well, the attacker could check thousands of passwords in a short period of time, using a combination of user emails, guesses on their master password and the salt. As LastPass CEO confirmed it himself back then, in an interview for PCWorld.com: “ You can combine the user's e-mail, a guess on their master password, and the salt and do various rounds of one-way mathematics against it. When you do all of that, what you're potentially left with is the ability to see from that data whether a guess on a master password is correct without having to hit our servers directly through the website.”    2.3. In 2015 A Hacker Attack Compromised the Company's Servers   Here's another answer to your “Can we trust LastPass?” question: In June 2015 a post on the company's blog announced that their team had detected suspicious behavior on their network. The result? LastPass servers got hacked and the cryptographically protected content compromised. And we're talking here about:   user passwords password reminders cryptographic salts email addresses   2.4. In 2016 A Vulnerability that Enabled Reading Plaintext Passwords Was Exposed Within a year, in July 2016, a new security vulnerability in the autofill functionality was identified and then detailed by the representative of DETECTIFY, an independent online security firm. Basically, the article raised new suspicions about whether one could trust LastPass with their passwords: The URL-parsing code of the LastPass browser extension — the HTML piece of code that was added to every page that the “victim” would visit —  was poorly written. Sloppy enough to enable a potential attacker to read plaintext passwords once the user landed on a malicious website.   2.5. In 2017 a “Major Architectural Problem” Was Discovered  In June 2017 Google's security researcher Tavis Ormandy made a new discovery: A security vulnerability in the LastPass Chrome extension (that applied to Firefox and Edge, as well), which, once exploited, could enable a hacker to steal passwords or engage in remote code execution. He described it as a “major architectural problem” to point out that this time we weren't facing some... signs of carelessness, but a hole in LastPass' security shield instead. “How safe is LastPass?” Users started to ask themselves again and many even started looking for alternatives.   3. About Our Own Unexpectedly Bad Experience as a LastPass Client  Let us share with you some glimpses of our rough experience as LastPass users.  I would start by saying that: Yes, the worst-possible scenario did happen to us. We've apparently lost all the passwords “safely” stored in our LastPass account. There are zero chances to retrieve them, to export them to another password manager or/and to get a refund, considering that we had paid for one year in advance. How did it all begin? With us trying to log into our account, as usual. But, we got this “welcome” message instead: “Invalid password” We next tried to reset our master password, using their reset password form. With no success, though: “LastPass account recovery failed for... Your current web browser did not save account recovery data on this computer. Please try account recovery again with every browser and on every computer you...” And then the “dialogue of the deaf” began, with: Us stating that we did NOT reset our password, for it was not possible and the LastPass support team claiming that we did restart it. And telling us that there's no option but to:   create a whole new account say goodbye to all our passwords "safely" stored there for good; there's no chance to export that user sensitive data to another password manager service lose all hope of getting a refund for the money we had paid in advance, due to their “No refund policy”   In short: if for some mysterious reasons, one day LastPass doesn't recognize your current master password anymore and you're not allowed to reset it either... you're doomed. Now, can you guess what's our answer to this question: “Can we trust LastPass?”   4. Bottom Line: Should You Trust LastPass? “Trust this service at your own risk!” For one day, no matter whether you've:   disabled the auto-fill functionality enabled a two-factor authentication (for both LastPass and your other critical accounts) chosen an "invincible” master password for your LastPass account kept both your software and your machine “spotless clean” and up-to-date used one different password per account   … you still run the risk to find yourself locked out!   Just talking from experience...   ... Read more
Adriana Cacoveanu / Oct 09'2018
Automatic Updates in Drupal Core? Top Benefits and Main Concerns With Drupal Updating Itself
Just imagine... automatic updates in Drupal core. Such a feature would put an end to all those never-ending debates and ongoing discussions taking place in the Drupal community about the expectations and concerns with implementing such an auto-update system. Moreover, it would be a much-awaited upgrade for all those users who've been looking for (not to say “longing for") ways to automate Drupal core and modules for... years now. Who've been legitimately asking themselves: “Why doesn't Drupal offer an auto-update feature like WordPress?” And how did we get this far? From idea to a steady-growing initiative?   first, it was the need to automate Drupal module and security updates then, the issues queues filled with opinions grounded in skepticism, valid concerns and high hopes started to “pile up” on Drupal.org, then, there was Dries' keynote presentation at Drupalcon Vienna in 2017, raising awareness around the need to re-structure Drupal core in order to support a secure auto-update system … which grew into the current Auto Update Initiative that echoed, recently, at Drupal Europe 2018, during the “Hackers Automate, but the Drupal Community still Downloads Modules from Drupal.org” session   Many concerns and issues have been pointed out. Many questions have been added to the long list. Yet, one thing's for sure: There still is a pressing, ever-growing need for an auto-update feature in Drupal... So, let me try to answer my best to some of your questions regarding this much-awaited addition to Drupal core:   What's in it for you precisely? How will an auto-update pre-built feature benefit you?  Does the user persona profile suit you, too? Is it exclusively low-end websites that such a feature would benefit? Or are enterprise-level, company websites targeted, as well? What are the main concerns about this implementation?   1. The Automatic Updates Initiative: Goal & Main Challenges  Let's shift focus instead and pass in review the inconveniences of manually installing updates in Drupal:   it's time-consuming it's can get risky if you don't know what you're doing it can be an intimidatingly complex process if you have no dedicated Drupal support & maintenance team to rely on it can get quite expensive, especially for a small site or blog owner   See where I'm heading at? This initiative's main objective is to spare Drupal users of all these... inconveniences when it comes to updating and maintaining their websites. Inconveniences that can easily grow into reasons why some might get too discouraged to adopt Drupal in the first place. The goal is to develop an auto-update mechanism for Drupal core conceptually similar to those already implemented on other platforms (e.g. WordPress). And now, let's dig up and expose the key challenges in meeting this goal:   enabling update automation in Drupal core demands a complete re-engineering of the codebase; it calls for a reconstructing of its architecture and code layout in order to support a perfectly secure auto-update system  such an implementation will have a major impact on the development cycle itself, causing unwanted disruption such a built-in auto-update feature could get exploited for distributing and injecting malware into a whole mass of Drupal websites   2. Automatic Updates in Drupal: Basic Implementation Requirements  What would be the ideal context for implementing such a perfectly secure auto-update system?  Well, its implementation would call for:   multiple (up to date) environments released updates to be detected automatically and instantly an update pipeline for quality assurance existing automate tests with full coverage a development team to review any changes applied during the update process    3. How Would These Auto-Updates Benefit You, the Drupal User? Let's see, maybe answering these key questions would help you identify the benefits that you'd reap (if any):   is your Drupal website currently maintained by a professional team? has it been a... breeze for you so far to cope with Drupal 8's release cycle (one new patch each month and a new minor release every 6 months sure claim for a lot of your time)? have you ever got tangled up in Composer's complexities and a whole load of third-party libraries when trying to update your Drupal 8 website? did you run the Drupalgeddon update fast enough? have you been secretly “fancying” about a functionality that would just update Drupal core and modules, by default, right on the live server?   To sum up: having automatic updates in Drupal core would keep your website secured and properly maintained without you having to invest time or money for this.   4. Drupal Updating Itself: Main Concerns And concerns increase exponentially as the need for an update automation in Drupal rises (along with the expectations). Now, let's outline some of the most frequently expressed ones:   there is no control over the update process, no quality assurance pipeline; basically, there's no time schedule system enabling you to test any given update, in a development environment, before pushing it live there's no clearly defined policy on what updates (security updates only, all updates, highly critical updates etc.) should be pushed with Drupal updating itself, rolling back changes wouldn't be possible anymore (or discouragingly difficult) with no GIT for version control again: automatic updates in Drupal could turn into a vulnerability for hackers to exploit for a mass malware attack  there's no clear policy regarding NodeJS, PHP and all the JS libraries in Drupal 8, all carrying their own vulnerabilities, too it's too risky with all those core and module conflicts and bugs that could break through such a feature should be disabled by default; thus, it would be every site owner's decision whether to turn it on or not could this auto-update system cater to all the possible update workflows and specific behaviors out there? Could it meet all the different security requirements?   So, you get the point: no control over the update pipeline and no policy for handling updates are the aspects that concern developers the most.   6. Does It Cater for Both Small & Enterprise-Level Websites' Needs?  There is this shared consensus that implementing automatic updates in Drupal core would:   not meet large company websites' security requirements; that it would not fit their specific update workflows benefit exclusively small, low-end websites that don't benefit from professional maintenance services   Even the team behind the automatic updates initiative have prioritized low-end websites in their roadmap. But, is that really the case? Should this initiative target small websites, with simple needs and writable systems, that rarely update and to overlook enterprise-level websites by default? Or should this much-wanted functionality be adjusted so that it meets the latter's needs, as well?  In this case, the first step would be building an update pipeline that would ensure quality. What do you think?   7. How About Now?"What Are My Options for Automating Updates in Drupal?" In other words: what are the currently available solutions if you want to automate the Drupal module and security updates?    7.1. You Can Use Custom Scripts to Automate Updates … one that's executed by Jerkins or another CI platform.  Note: do bear in mind that properly maintaining a heavy load of scrips and keeping up with all the new libraries, tools, and DevOp changes won't be precisely a “child's play”. Also, with no workflow and no integrated tools, ensuring quality's going to be a challenge to consider.   7.2. You Can Opt for a Drupal Hosting Provider's Built-In Solution “Teaming up” with a Drupal hosting provider that offers you automated updates services, too, is another option at hand. In this respect, solutions for auto-updating, such as those provided by Pantheon or Acquia, could fit your specific requirements.  Note: again, you'll need to consider that these built-in solutions do not integrate with your specific DevOps workflows and tools.   And my monologue on automatic updates in Drupal ends here, but I do hope that it will grow into a discussion/debate in the comments here below: Would you turn it on, if such a feature already existed in Drupal core? Definitely yes No way It depends on whether... ... Read more
RADU SIMILEANU / Sep 28'2018
Media Handling in Drupal 8.6.0: 4 New Features that Will Enhance Your Media Management Experience in Drupal
The media management experience had been one of the well-known sources of frustration for Drupal content editors for a long time. For, let's face it: Drupal's out-of-the-box media support was just... basic. But not anymore: there are new exciting features for media handling in Drupal 8.6.0 that will dramatically change the way you manage your media assets on your Drupal website! Now, let's take a sneak peek at these most-anticipated media handling features that Drupal 8.6.0 comes equipped with:   adding media from a remote source adding various types of media embedding Youtube and Vimeo videos in the content (via URL) easily accessing and reusing the existing media uploading new media types right out of the box   And this is almost... overwhelming: From almost no built-in media support in Drupal, for so many years, to a whole set of modern, powerful media management options now in Drupal 8.6.0. But let's not ramble about this topic anymore and dive right in! Into the pile of new features meant to enhance the whole media management experience in Drupal:   But First: An Update on The Progress of the Media in Drupal 8 Initiative The main goal of this media initiative was to: Add a rich media support to Drupal 8. One that would empower the content editors to easily reuse existing media assets, add new media entities and to overall gain more control (and meta information) over their media. And there are 3 core milestones that we can trace while tracking the progress of this initiative for Drupal 8:   adding the experimental Media module to Drupal 8.4 in late 2017 leveling up this module from experimental to stable phase in Drupal 8.5.0 turning it into the standard way of storing media in Drupal    Moreover, starting with Drupal 8.6.0 a new key module for handling media has been added to core — Media Library — along with a few more exciting options:   quick access to the existing media assets oEmbed support a new media type: remote video content   Quite a “leap” forward, to a great media management experience in Drupal, I would say...   2. Welcome a New Media Type in Drupal 8: Remote Video Let us list the 4 media types that you could add to your site's content up to Drupal 8.6.0:   file image video audio   OK, now it's time you welcomed a new media type to the group: remote video! Basically, as a content editor you're now able to add videos from remote sources, as well — Vimeo and Youtube — via their URLs.   In short: you're no longer constrained to settle for the default media types in Drupal 8. No sir, now you get to create new custom ones mentioning their media sources. Summing up: embedding new media to your website content is nothing but a two-step process: Content-Add Media. 3. Reusing Media Is Now Possible: Media Library One of the much-awaited features for media handling in Drupal 8.6.0 had been reusable media. Well, here it is now: Media Library! It's where you can save and store all your media assets to be further reused whenever needed. Note: do keep in mind that this an experimental module and that you'll also need to enable the Media module first things first. “And how does it work more precisely?”   while in your content edit screen just browse through all the media assets stored in your Media Library select the one you need and simply “inject” it into your page   Note: it's the “Media library” widget, added to the Media field, that enables you to scan through all your media entities straight from the content edit screen. 4. The New “Media” Field: A Quick Way to Embed Media in Your Content Handling media in Drupal 8.6.0 is as simple as... adding a new field — “Media” —  to the content type in question (be it news, blog post, article and so on). Once the new field is added on, just go through the 5 media types available in Drupal 8.6.0 and select the one you need to embed. Next, you can simply integrate it into your content, while in your edit screen, positioning it to your liking.   5. New Media Handling in Drupal 8.6.0: Youtube & Vimeo Embeds A new media management tool that significantly improves the whole content editing experience in Drupal. You're able to embed remote videos from Youtube and Vimeo via URL, thanks to the now added oEmbed media support. “How precisely?” Basically, you simply:   add that new “Media” field to your content type, as previously stated select the “Remote Video” option from the “Media Type” drop-down menu enter your video's URL in the “Video URL” field, while in your “Add Remote Video” screen and click “Save”   And voila: you'll have your remote video integrated into your content! The END! As Steve Burge from OSTraining would say: “Finally we're getting somewhere with media in Drupal!”   What do you think about the new features for media handling in Drupal 8.6.0? What other options and tools are there on your wishlist? To be able to embed remote videos right from the node create page, maybe? Or to have other video platforms, as well, supported in Drupal? ... Read more
Silviu Serdaru / Sep 21'2018
What Makes Magento 2 the Best Choice for Mobile Commerce? 6 Obvious Reasons to Consider It
Why Magento 2 and not Shopify, WooCommerce, Joomla, BigCommerce, Volusion and the list of popular e-commerce platforms could go on? Why is Magento 2 the best choice for mobile commerce? After all, they all provide responsive product pages design, right?  Yes, but that's just the “tip of the iceberg”.There are lots of other factors to consider, as well, when striving to ensure your e-store's success on mobile:   the shopping cart the checkout experience the page load times (considering the high level of unpredictability specific to mobile connectivity) the admin UI the “manage your store on the go” functionality   … and so on. Magento 2's built to meet all your mobile commerce-specific expectations, plus a few more. Now, out of all the most obvious reasons why you should consider it as your platform of choice for your mobile e-store, we've selected the 7 most compelling ones:   1. Intuitive and Easier to Use Admin UI A huge “leap” forward from Magento's discouragingly complex and confusing former admin panel. How is it better?   it's cleaner it's more (non-technical) user-friendly it's easier to use    Practically, in Magento 2 store admins are no longer dependent on developers for every little change they need to make in their online stores. From finding precisely the tools they need to adding new product listings, admins can now perform all the common tasks in their dashboards much quicker.   2. A Simple Checkout Process: It Makes Magento 2 the Best Choice for Mobile Commerce And this is that part of your mobile e-store that can make or break its reputation for good.  A cumbersome, overly complex, lengthy checkout experience will only make your customers “run for the hills” and never come back to... pick up their abandoned carts (and maybe even spread the news about the frustrating checkout experience they had in your store). Do you see my point here, right? This platform's simple, frictionless checkout process is directly responsible for the success of any e-commerce website using Magento 2.   3. All Magento 2 Themes and Templates Are Responsive by Default Magento 2 comes jam-packed with free, responsive themes for you to just scan through, select from and use to deliver mobile-friendly shopping experiences. That, of course, in addition to the always available options of:   going with a third-party theme having a Magento 2 developer build a custom theme for you, from scratch, and to tailor it to your store's specific needs   4. Easy to Manage Your Magento 2 Store Right On Your Smartphone Another enhancement that makes Magento 2 the best choice for mobile commerce.  Just imagine that as a store admin you'll get to manage all its features:   catalog management features CMS SEO and marketing features order management   … on the go, right from your mobile phone, right from your admin panel. And it's this type of convenience that turns Magento 2 into the most popular platform among e-commerce business owners.   5. Caching Capabilities And you need to consider how unpredictable a mobile connectivity can get.  Luckily, Magento 2's got your back: its catching capabilities are the “safety net” you need when your online store's visitors are facing issues of limited connectivity. It supports Varnish Full Cache, which makes it easy for developers in your team to boost your Magento store's performance despite the internet connectivity's limitations.   6. Powerful Built-In Marketing Features  Speaking of conveniences, Magento 2 provides you with a heavy load of robust marketing features right out of the box. I'm talking here about:   visual merchandising optimized product category pages  sharing an email drag and drop functionality wishlist creation feature customer segmentation   In short: all the modern features you could possibly think of for “fueling” your mobile marketing strategy with. The END!  What do you think, can these 6 reasons here stand for 6 clear answers to your question:   “What makes Magento 2 the best choice for mobile commerce?” ... Read more
Adriana Cacoveanu / Sep 20'2018
How Can You, As a Client, Prevent Missed Deadlines on Your Web Projects? 6 Best Practices
Lots of helpful tips and tricks, tons of best practices, plenty of great advice on how to prevent missed deadlines on your web projects. And yet: all these “how to's” are targeting project managers, team leaders and, overall, web development teams. But what about you, the client? What can you do to help the teams working on your web projects avoid missing deadlines? What best practices should you adopt in order to streamline the development process? And what bad client habits should you break to avoid scope creep and, implicitly, delaying your own project? Now that we've gone through all your possible questions and dilemmas as a client regarding the “deadline issue”, let's dig for some answers, too. In this respect, here are the 6 best practices that you should stick to when working with a web development team, to ensure that they'll meet their deadline:   1. Clearly Articulate all Your Project Requirements — Ideas, Vision, Expectations Do speak now or forever hold your peace! In other words: share your detailed specifications, your requirements, even just your glimpses of ideas in a very early phase of your project's development life-cycle. This way, you'll empower your contacted team to come up with an accurate project estimate. And thus, to ensure that they'll meet the deadline you will have agreed upon. What's your vision for the project? What do you expect your software product to do? What features should it incorporate? What are your predictions in terms of website traffic? Be sure to express all your requirements as accurately as possible, whether under the form of:   drawings on a sheet of paper detailed specifications verbal explanations screenshots   2. Over the Budget? Discuss Prioritization of the Key Features Another best practice to prevent missed deadlines on your web projects, as a client, is to prioritize specific tasks included in the project.  And this practice gets particularly helpful when you find yourself budget-constrained. What are the essential features and functionalities that your website/application should have? Identify them, then discuss prioritizing those specific implementations with the development team.  This way you:   stay on budget (still) meet the deadline set some realistic expectations draft an updated roadmap for your development team to follow   Tip: are you familiar with the MVP (minimum viable product) philosophy?   3. Give Them Timely Access to Materials They Need to Move Forward More often than not, it's clients' failure to carry out their own parts of the projects (on time) that lead to significant delays in the development process. And forgetting/overlooking/refusing/being out of reach to give your development team timely access to those materials that are crucial for their work is one such example. I'm talking here about materials such as:   project-specific content data brand fonts   … and other resources they might need to advance in their work.  Which leads us to another best practice that clients (too) often fail to follow:   4. Be Reachable: Stay Active on Communication Channels  It's crucial that you be available on (all) communication channels. The team of web developers working on your project might need:    your approval on certain tasks that they will have completed before they can focus on the next development phases your input to the next-in-line deliverable your decision regarding a multi-solution challenge they're facing   So, you do get the point: the more difficult it'll be for them to reach you, the higher are the chances that they miss their deadline.   5. Ask Your Questions to Prevent Missing Deadlines on Your Web Projects Do dare to ask the project manager, the customer service manager or team lead all your questions. Whether technical or not. For you do not need to be a Drupal, Magento, WordPress, React, Laravel, Angular or any other technology expert. Yet, you must ask your development team any inquiries that you might have regarding the used tools and platforms. ... regarding their specific procedures, internal processes and, overall, their particular approach to project management. Ask your questions and allow them to shed light on any “blurriness” that you might be facing. Otherwise, confusions will only lead to last minute changes of scope and missed deadlines.   6. Set Realistic Deadlines to Accommodate Your Last-Minute Requirements, Too Are there any last minute changes, unplanned requirements or off-the-plan tasks that you need to integrate into your project's development cycle?  Talk about them with the project manager and maybe you'll reach an agreement to add a few more developers to your project.  And also, keep in mind to set a realistic deadline to accommodate all these emergencies, as well.    What's a Scope Creep More Precisely? Something that many clients are guilty of, I must say.  It comes down to: Changing the scope of a project.  And there are multiple causes for this:   urgent, last-minute requests coming from the client, that imply high volumes of extra work poor scheduling poor budgeting lack of cooperation   The END! These are the 5 most effective best practices to adopt, as a client, in order to prevent missed deadlines on your web projects.  ... Read more
Adriana Cacoveanu / Sep 18'2018