Feed aggregator

myDropWizard.com: Drupal core security update for SA-CORE-2018-001 (including Drupal 6!)

Drupal Planet -

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

What makes this release special, is that some of these issues also affect Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

The following vulnerabilities mentioned in the security advisory affect Drupal 6:

  • JavaScript cross-site scripting prevention is incomplete - Critical

  • jQuery vulnerability with untrusted domains - Moderately Critical

  • External link injection on 404 pages when linking to the current page - Less Critical

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

[$] Licenses and contracts

LWN Headlines -

Some days it seems that wherever two or more free-software enthusiasts gather together, there also shall be licensing discussions. One such, which can get quite heated, is the question of whether a given free-software license is a license, or whether it is really a contract. This distinction is important, because most legal systems treat the two differently. I know from personal experience that that discussion can go on, unresolved, for long periods, but it had not previously occurred to me to wonder whether this might be due to the answer being different in different jurisdictions. Fortunately, it has occurred to some lawyers to wonder just that, and three of them came together at FOSDEM 2018 to present their conclusions.

Subscribers can read on for a report on the talk by guest author Tom Yates.

uTorrent Client Affected by Some Pretty Severe Security Flaws

Slashdot -

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.

Read more of this story at Slashdot.

[$] Open-source trusted computing for IoT

LWN Headlines -

At this year's FOSDEM in Brussels, Jan Tobias Mühlberg gave a talk on the latest work on Sancus, a project that was originally presented at the USENIX Security Symposium in 2013. The project is a fully open-source hardware platform to support "trusted computing" and other security functionality. It is designed to be used for internet of things (IoT) devices, automotive applications, critical infrastructure, and other embedded devices where trusted code is expected to be run.

Slashdot Asks: What Do People Misunderstand or Underappreciate About Apple?

Slashdot -

In an interview with Fast Company, Apple CEO Tim Cook says people who have not used his company's products miss "how different Apple is versus other technology companies." A person who is just looking at the company's revenues and profits, says Cook, might think that Apple "is good at making money." But he says "that's not who we are. In Cook's view, Apple is: We're a group of people who are trying to change the world for the better, that's who we are. For us, technology is a background thing. We don't want people to have to focus on bits and bytes and feeds and speeds. We don't want people to have to go to multiple [systems] or live with a device that's not integrated. We do the hardware and the software, and some of the key services as well, to provide a whole system. We do that in such a way that we infuse humanity into it. We take our values very seriously, and we want to make sure all of our products reflect those values. There are things like making sure that we're running our [U.S.] operations on 100% renewable energy, because we don't want to leave the earth worse than we found it. We make sure that we treat well all the people who are in our supply chain. We have incredible diversity, not as good as we want, but great diversity, and it's that diversity that yields products like this. What do you think?

Read more of this story at Slashdot.

Apple CEO Tim Cook: 'I've Only Had Good Years'

Slashdot -

Business Insider: Under CEO Tim Cook's watch, Apple has sold hundreds of millions of iPhones, booked hundreds of billions of dollars in profit, and launched new products like AirPods and Apple Watch. In fact, Cook says, he's never had a bad year as CEO of Apple. "I've only had good years. No, seriously," he said in an interview with Fast Company. "Even when we were idling from a revenue point of view -- it was like $6 billion every year -- those were some incredibly good years because you could begin to feel the pipeline getting better, and you could see it internally. Externally, people couldn't see that," he continued.

Read more of this story at Slashdot.

Drupal Console: Drupal Console 1.6.1

Drupal Planet -

Drupal Console 1.6.1 is out. The latest release contains bug fixes. Also no longer required dependencies removed from the project and development dependencies added as suggested packages.

Acro Media: Drupal Commerce 2: How to Add a Payment Gateway

Drupal Planet -

Drupal Commerce 2 comes with a payment gateway system that allows for all kinds of payment methods to be added into your ecommerce site. Many of the standards you're used to seeing, Authorize.net, PayPal, Stripe, etc., are already good to go. On top of that, Commerce 2 has a fantastic API making it easy for developers to connect new gateway plugins.

What if you also want to allow your customers to pick up their order in-store? Or maybe you want to accept email money transfers or some other manual payment method. No worries! Drupal Commerce 2 is so adaptive that setting up these methods is also easy to do.

In this Acro Media Tech Talk video, we user our Urban Hipster Commerce 2 demo site to show how you can add, and manage, your payment gateways. 

Its important to note that this video was recorded before the official 2.0 release of Drupal Commerce, and so you may see a few differences between this video and the current release. The documentation is also evolving over time.

Urban Hipster Commerce 2 Demo site

This video was created using the Urban Hipster Commerce 2 demo site. We've built this site to show the adaptability of the Drupal 8, Commerce 2 platform. Most of what you see is out-of-the-box functionality combined with expert configuration and theming.

More from Acro Media Drupal modules in this demo

'Tech Companies Should Stop Pretending AI Won't Destroy Jobs'

Slashdot -

Kai-Fu Lee, the founder and CEO of Sinovation Ventures and president of the Sinovation Ventures Artificial Intelligence Institute, believes that we're not ready for the massive societal upheavals on the way. He writes for MIT Technology Review: The rise of China as an AI superpower isn't a big deal just for China. The competition between the US and China has sparked intense advances in AI that will be impossible to stop anywhere. The change will be massive, and not all of it good. Inequality will widen. As my Uber driver in Cambridge has already intuited, AI will displace a large number of jobs, which will cause social discontent. Consider the progress of Google DeepMind's AlphaGo software, which beat the best human players of the board game Go in early 2016. It was subsequently bested by AlphaGo Zero, introduced in 2017, which learned by playing games against itself and within 40 days was superior to all the earlier versions. Now imagine those improvements transferring to areas like customer service, telemarketing, assembly lines, reception desks, truck driving, and other routine blue-collar and white-collar work. It will soon be obvious that half of our job tasks can be done better at almost no cost by AI and robots. This will be the fastest transition humankind has experienced, and we're not ready for it. Not everyone agrees with my view. Some people argue that it will take longer than we think before jobs disappear, since many jobs will be only partially replaced, and companies will try to redeploy those displaced internally. But even if true, that won't stop the inevitable. Others remind us that every technology revolution has created new jobs as it displaced old ones. But it's dangerous to assume this will be the case again.

Read more of this story at Slashdot.

Security updates for Wednesday

LWN Headlines -

Security updates have been issued by Arch Linux (libmspack), Debian (zziplib), Fedora (ca-certificates, firefox, freetype, golang, krb5, libreoffice, monit, patch, plasma-workspace, ruby, sox, tomcat, and zziplib), openSUSE (dovecot22, glibc, GraphicsMagick, libXcursor, mbedtls, p7zip, SDL_image, SDL2_image, sox, and transfig), Red Hat (chromium-browser), and Ubuntu (cups, libvirt, and qemu).

AI Experts Say Some Advances Should Be Kept Secret

Slashdot -

AI could reboot industries and make the economy more productive; it's already infusing many of the products we use daily. But a new report [PDF] by more than 20 researchers from the Universities of Oxford and Cambridge, OpenAI, and the Electronic Frontier Foundation warns that the same technology creates new opportunities for criminals, political operatives, and oppressive governments -- so much so that some AI research may need to be kept secret. From a report: [...] The study is less sure of how to counter such threats. It recommends more research and debate on the risks of AI and suggests that AI researchers need a strong code of ethics. But it also says they should explore ways of restricting potentially dangerous information, in the way that research into other "dual use" technologies with weapons potential is sometimes controlled.

Read more of this story at Slashdot.

Lawsuits Threaten Infosec Research -- Just When We Need it Most

Slashdot -

This year, two security reporters and one researcher will fight for their professional lives in court. Steve Ragan, senior staff writer at tech news site CSO, and Dan Goodin, security editor at Ars Technica, were last year named defendants in two separate lawsuits. The cases are different, but they have a common theme: they are being sued by the companies covered in articles they wrote. From a report: Although lawsuits targeting reporters, particularly on the security beat, are rare, legal threats are an occupational hazard that reporters are all too aware of -- from companies threatening to call an editor to demand a correction -- or else -- to a full-blown lawsuit. But the inevitable aftermath is a "chilling effect." White-hat hackers and security researchers hesitate to report vulnerabilities and weaknesses to technology firms for fear of facing legal retribution. With nation state attackers targeting elections and critical national security infrastructure on a near-daily basis, security research is needed more than ever.

Read more of this story at Slashdot.

The Car of the Future Will Sell Your Data

Slashdot -

Picture this: You're driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen. Are you annoyed that your car's trying to sell you something, or pleasantly persuaded? From a report: Telenav, a company developing in-car advertising software, is betting you won't mind much. Car companies -- looking to earn some extra money -- hope so, too. Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they're capable of collecting without alienating consumers or risking backlash from Washington. "Carmakers recognize they're fighting a war over customer data," said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. "Your driving behavior, location, has monetary value, not unlike your search activity."

Read more of this story at Slashdot.

Sooper Drupal Themes: Drupal 8 Release Candidate For All Products and Demos!

Drupal Planet -

Drupal 8 SooperThemes: After nearly a year of work we're almost there! It has taken us twice as long as we originally estimated. Drupal 8 itself has had its delays so maybe there is no surprise that updating our complex Drupal 7 theming and drag & drop platform with 15 unique theme designs and 1000+ demo content items is delayed. We now have a feature-complete stable version or Release Candidate for all our products ready for you to test! Besides that, we just moved to a new server that has all the infrastructure upgrades in place for our Drupal 8 launch.Migrating 15 Demos With 1000+ Content Items

The past 6 weeks have been spent mostly on migrating all demo content and designs to the Drupal 8 framework. This work mostly consisted of copying, manually testing, and re-exporting pages, images, menu links, configuration etc. The glorious result of this painstaking work can be seen here: https://demo.sooperthemes.com/

Can I start using this on production?

Not just yet, we recommend to hold off for the stable release before taking this puppy to production! However, the RC1 will be easy to upgrade to the upcoming stable release so I suggest you can start building your Drupal 8 project using our theme or builder, report any issues on our support forum, and launch it when we launch our stable release.

Having spent the last year just coding away at the Drupal 8 product line I now have to quickly put on my documentation and marketing hat and start churning out content and documentation updates for the website. We will spend the coming 2-3 weeks to update our website and then immediately put out a stable release for all products.

What's Next?

Of course we won't get bored after completing this monumental update. To SooperThemes the D8 release is a major milestone that brings us to the next chapter in the life cycle of our business. After the Drupal 8 release we will start paying a lot more attention to documentation, customer support, and marketing. We're excited to now have a product that exceeds everyone's expectations both in capability and now compatibility. We're going to keep developing our products, and also work on making ourselves more known inside and outside the Drupal community. 

Get Testing!

If you're already on board with Sooperthemes.com you now have access to all Drupal 8 downloads in the Downloads page. If you want to help testing, or if you just want to get started with your Drupal 8 project head on over!

Open Source Contributions

Now that we have our core business covered with our Drupal 8 products, we're going to continue making live easier for the Drupal community at large with our awesome free theme and module contributions. We want to make the free version of our theme the best Drupal 8 and 7 theme on Drupal.org. Of course our premium theme will retain some features that will remain exclusive to our patrons but even if we slice the feature count in half we probably still have the most loaded, flexible theme on drupal.org. Since our free Glazed theme is also the default theme for our Glazed CMS Drupal distribution, we also intend on having the best looking distribution our on Drupal.org. Stay tuned for updates! 

FCC To Officially Rescind Net Neutrality Rules On Thursday

Slashdot -

An anonymous reader quotes a report from Reuters: The U.S. Federal Communications Commission is expected to publish on Thursday its December order overturning the landmark Obama-era net neutrality rules, two sources briefed on the matter said Tuesday. The formal publication in the Federal Register, a government website, means state attorneys general and advocacy groups will be able to sue in a bid to block the order from taking effect. The Republican-led FCC in December voted 3-2 to overturn rules barring service providers from blocking, slowing access to or charging more for certain content. The White House Office of Management and Budget still must sign off on some aspects of the FCC reversal before it takes legal effect. Congressional aides say the publication will trigger a 60-legislative-day deadline for Congress to vote on whether to overturn the decision. U.S. Senate Democrats said in January they had the backing of 50 members of the 100-person chamber for repeal, leaving them just one vote short of a majority. The December FCC order will be made public on Wednesday and formally published on Thursday, the sources said.

Read more of this story at Slashdot.

Shiny Side Up

The Daily WTF -

It feels as though disc-based media have always been with us, but the 1990s were when researchers first began harvesting these iridescent creatures from the wild in earnest, pressing data upon them to create the beast known as CD-ROM. Click-and-point adventure games, encyclopedias, choppy full-motion video ... in some cases, ambition far outweighed capability. Advances in technology made the media cheaper and more accessible, often for the worst. There are some US households that still burn America Online 7.0 CDs for fuel.

But we’re not here to delve into the late-90s CD marketing glut. We’re nestling comfortably into the mid-90s, when Internet was too slow and unreliable for anyone to upload installers onto a customer portal and call it a day. Software had to go out on physical media, and it had to be as bug-free as possible before shipping.

Chris, a developer fresh out of college, worked on product catalog database applications that were mailed to customers on CDs. It was a small shop with no Tech Support department, so he and the other developers had to take turns fielding calls from customers having issues with the admittedly awful VB4 installer. It was supposed to launch automatically, but if the auto-play feature was disabled in Windows 95, or the customer canceled the installer pop-up without bothering to read it, Chris or one of his colleagues was likely to hear about it.

And then came the caller who had no clue what Chris meant when he suggested, "Why don't we open up the CD through the file system and launch the installer manually?"

These were the days before remote desktop tools, and the caller wasn't the savviest computer user. Talking him through minimizing his open programs, double-clicking on My Computer, and browsing into the CD drive took Chris over half an hour.

"There's nothing here," the caller said.

So close to the finish line, and yet so far. Chris stifled his exasperation. "What do you mean?"

"I opened the CD like you said, and it's completely empty."

This was new. Chris frowned. "You're definitely looking at the right drive? The one with the shiny little disc icon?"

"Yes, that's the one. It's empty."

Chris' frown deepened. "Then I guess you got a bad copy of the CD. I'm sorry about that! Let me copy down your name and address, and I'll get a new one sent out to you."

The customer provided his mailing address accordingly. Chris finished scribbling it onto a Post-it square. "OK, lemme read that back to—"

"The shiny side is supposed to be turned upwards, right?" the customer blurted. "Like a gramophone record?"

Chris froze, then slapped the mute button before his laughter spilled out over the line. After composing himself, he returned to the call as the model of professionalism. "Actually, it should be shiny-side down."

"Really? Huh. The little icon's lying, then."

"Yeah, I guess it is," Chris replied. "Unfortunately, that's on Microsoft to fix. Let's turn the disc over and try again."

[Advertisement] Incrementally adopt DevOps best practices with BuildMaster, ProGet and Otter, creating a robust, secure, scalable, and reliable DevOps toolchain.

Flixster Video Shuts Down

Slashdot -

After being purchased by Fandango in 2016, Flixster Video is officially shutting down. The site has been sending users regular emails over the past several months about the shutdown, reports Android Police. Now, the site is no longer operational, and only points people to its mobile app, which can still be used for getting movie reviews and tickets. The Verge reports: Flixster first announced it was closing in 2016, after being acquired by Fandango along with subsidiary Rotten Tomatoes. That year, Fandango also bought video streaming service M-Go, later rebranding it under FandangoNow. Flixster Video, which let people access their UltraViolet movie collection, was not a part of that deal. The shutdown began with the service telling customers it would no longer be able to redeem digital codes on the site for video playback. Over the past few months, emails have been sent out encouraging people to migrate their Flixster accounts to Vudu and Movies Anywhere in order to make sure nothing was lost. The company says it's not too late for users to do so.

Read more of this story at Slashdot.

Barbie Will Be Used To Teach Kids To Code

Slashdot -

Mattel and Tynker are teaming up to launch seven new Barbie-themed coding lessons this coming summer. "The curriculum, aimed at teaching girls about computer programming, will also expose them to potential careers like becoming a veterinarian, astronaut, or robotics engineer," reports Engadget. "The larger goal is to introduce coding to 10 million kids by 2020." From the report: The Barbie programming curriculum has been designed for beginners grades K and up. It puts learners in career roles alongside Barbie as it introduces concepts gradually. It's not all just Barbie, of course, with a few different initiatives coming in 2018, including a Mattel code-a-thon and teacher outreach program as well as involvement in the Hour of Code in December. "For close to 75 years, Mattel has taken a visionary approach to advancing play for kids around the world, most recently promoting computer programming and other STEM skills alongside iconic brands like Barbie, Hot Wheels and Monster High," said Tynker's Krishna Vedati in a statement. "We are very excited by this expanded partnership and the ambitious -- but achievable -- goal of teaching 10 million kids to learn to code by 2020 using Mattel brands."

Read more of this story at Slashdot.

Pages

Subscribe to Heydon Consulting aggregator