System Overlord

A blog about security engineering, research, and general hacking.

Customizing Built-in Strings in Drupal

At work, we had a situation where one of the strings built in to the Drupal User Interface made things somewhat confusing.  By default, 'Enter your sitename username.' is displayed beneath the username box on the login form.  However, we use a centralized authentication system called 'NetID', so this prompt was confusing to some users.

One of my coworkers had received the request from the user to change this text to "Please enter your KSU NetID."  His first thought was to create a subtheme of our base theme and modify a .tpl.php.  (It turns out this isn't even directly possible, you have to register a special .tpl.php handler first.)  My first thought was hook_form_alter, but after a moment, I realized that was overkill for the task of changing a single string.  I recalled that before we had used locale settings to modify strings being output, so I wondered if we couldn't do that here as well.  The first step was to find the raw string, before any processing.

I grepped through user.module for "Enter your" and found that the string was 'Enter your @s username.'  I then opened settings.php and went to the bottom, where there was an array that looked something like this:

# $conf['locale_custom_strings_en'] = array(
#   'forum'      => 'Discussion board',
#   '@count min' => '@count minutes',
# );

To make the change we needed, I set it up as:

$conf['locale_custom_strings_en'] = array(
  'Enter your @s username.' => 'Please enter your KSU NetID.',

Drupal 7

The same thing can be achieved on Drupal 7 in settings.php, but the format of the array has changed slightly:

# $conf['locale_custom_strings_en'][''] = array(
#   'forum'      => 'Discussion board',
#   '@count min' => '@count minutes',
# );

I did it for the data...

Prior to about 2005, if you had something to say online, you built your own website and said it there.  And so the web was like a chain of small islands, each led by their own leader (the owner of the site), with browsers hopping from island to island.  Sure, there were travel agents (search engines) to help you find which island (website) you wanted to visit, but for the most part, each site was run independently and had its own way of doing things.

You could have your own website through a variety of sources -- many ISPs and most colleges and universities offered web accounts to their members/students.  Additionally, in 1995, Geocities was founded, providing free web hosting to anyone who wanted it.  Geocities even offered a WYSIWYG (What You See Is What You Get) editor for websites, so this allowed almost anyone to post their own website, even in the late 90s.

In 2004, Mark Zuckerberg launched "The Facebook" (now known simply as Facebook).  At first, it wasn't a big deal -- it was limited to college students at a handful of universities.  As the number of universites grew, so did the demand for accounts for the general public, and so, on September 26, 2006, Facebook opened its doors to anyone with a valid email address and the ability to pick a birth date more than 13 years prior to their registration.  People ran to Facebook because it was the "cool thing to do," and by 2009, Facebook was cash-positive, and today there are some 800 million users of Facebook, which means that about 12.5% of the world population is on Facebook.  This is mostly interesting because there are about 2 billion internet users worldwide, meaning Facebook has a market penetration of about 40%.

So, in 2006, this new service called Twitter came on the scene.  Twitter was interesting mostly because it was the first "microblogging" service to really gain traction.  Twitter posts are limited to 140 characters in length, which makes the success of microblogging rather interesting -- who would have thought that anyone could say anything interesting in 140 characters?  (Of course, many would argue that most of what is posted on Twitter is not worth the 140 bytes required to store it, but that's another matter.)  And, much like Facebook, as Twitter gained momentum, its numbers rose steeply.  Today, there are 200 million users on Twitter posting 200 million "tweets" per day.

So we've seen that users have been running to these services like an oasis in the desert, and similar things are happening to email, at least for personal email accounts.  First everyone had a Yahoo! or Hotmail email account, but when Google announced email with 1GB of storage, many people moved to Gmail.  Even today, most of the personal email addresses are associated with one of those 3 services.

It's not just the users who are centralizing, either.  Service providers are looking towards these free tools too, without a thought as to the motivations behind the companies offering the tools.  Take, for example, Google Analytics.  49.5% of the top million websites use Google Analytics.  How about Disqus, where 13 million users post in over 500,000 communities?

Obviously, these service providers require money to maintain their services, let alone to turn a profit.  Facebook, Twitter, Gmail, Google Analytics, and Disqus surely aren't providing services out of the goodness of their heart or some sense of corporate altruism.  They're not charging their users (except for some premium services).  So what's in it for them?


Google gets a peak at the users of 50% of the world's busiest websites and a healthy percentage of e-mail traffic as either a sender or recipient.  Facebook and Twitter get a snapshot into the lives of hundreds of millions of individuals, seeing a cross-section of human behavior on a scale never before imagined.  Disqus gets to see what people are talking about and where they're talking about it.

Who might be interested in this data?  Well, first and foremost, I suspect marketers would like to know a lot about this.  Who's discussing fashion, technology, or business?  Maybe executives would like to know how many people are talking about their company -- or their competitors.  And just perhaps, less-than-friendly governments (left to the interpretation of the reader) would like a peak at what people are talking about, or even the easy ability to shut down the now-recentralized lines of communications among the people in their country.  Look at efforts by Egypt and Syria to shut down access to these tools during their revolutions.

I'm not saying these services are bad.  I use many of them myself.  I have a presence on Facebook, on Twitter, a GMail account, and I use Google Analytics to help me better understand my audience.  I do it because I make a conscious decision about what data I place where, and how I handle my personal information.  I choose the benefits of the service against the privacy tradeoffs.  We all make compromises, every day.  I just want you to stop and think for a few seconds before you sign up for the next big service: "What am I giving them?  What do they get out of this?  What do I get out of this?"

The US Day of Rage

For those who have missed it, (and since the mainstream media is more or less ignoring it, you probably have) there's currently a large number of people protesting against the increasing social inequality in the United States. There are thousands of people protesting on Wall Street and the rest of Manhattan, protesters in Chicago, and protesters in other major cities.

Much of the movement was spawned by a movement for the "US Day of Range". Some of this movement was spawned by a group called US Uncut, whose primary goal was to highlight that the largest banks in the country pay less in income taxes than most of the individual taxpayers in this country. Some of this movement has spawned out of the group "Anonymous", which seems to be a loose-knit group of individuals that may have some common foundations. Others seem to have just joined as the movement reached critical mass, identifying only with the core views of the Occupy Wall Street movement.

These groups have come together in order to demand that the government protect individuals rights and recognizes that the people of the United States must come before the desires of big business. Congress must take steps to halt the progression we have towards a two-class society: rich management riding the backs of the under- and un-employed. With our current trend, we will quickly be eclipsed by the societies of China, India, and other states.

Anonymous has done many things I don't agree with. I don't support the Anti-Sec movement, and I don't believe that hacking servers, leaking information, or defacing websites is a productive activity. I do believe in peaceful protest, in the 1st amendment right to petition the government for a redress of grievances. Most of the activities associated with the Occupy Wall Street are protected 1st Amendment activities.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

A week and a half ago, only 12% of Americans approved of the job being done by Congress. Police Officers in New York are assaulting and battering peaceful protestors with chemical weapons. How much more of the status quo are the people of America prepared to stand?

I can only hope that the change here will come about through informed discourse, peaceful protest, and democratic processes. In Syria, Egypt, and Libya, we have seen less peaceful revolutions when the people of those states reached a tipping point. Civil disputes in this country have a long history -- whether it was the civil rights movement or the civil war. Out of the latter, we got the Gettysburg Address with its timeless words "government of the people, by the people, for the people." We must return to government of the people, by the people, and for the people before American society is destroyed.

Lying to Google (a.k.a. SEO)

Search Engine Optimization (SEO) comes in two basic forms.  The first really is optimization: ensuring that your site has good links, that the content is relevant, and that the site adheres to good structural practices all fit into true optimization.  With the ever-growing complexity of websites, taking steps to help search engines understand your content and the structure of your site makes good sense.  With the new notion of a "semantic web", this will grow to a new level and become a key part of web development best practices.

The second form of search engine optimization basically amounts to lying to Google.  I say "Google" and not "search engines" because Google's market share has made it so that most SEO amounts to efforts to get the highest Google page rank.  Take, for example, the practice referred to as "Google bombing".  Creating many misleading links to a page in order to have it appear for keywords that have nothing to do with the content is clearly misleading to Google, and misleading to consumers.

A few days ago, Matt Gemmell posted an article entitle "SEO for Non-dicks" where he described the positive world of SEO.  But he also highlighted the unethical practices presented at a SEO conference.  Several companies offering SEO services feature practices like buying links, setting up link farms, and embedding hidden links in pages.  Other practices include hidden (same color as background or underneath other parts of the site) text that may have little or nothing to do with the site.

Because these techniques are designed to mislead search engines (and consequently the consumers using the search engines), these seem to me to amount to a "bait and switch" advertisement.  This is gaming the system.  Fortunately, search engines are making great strides in penalizing the sites that use these misleading practices.

To paraphrase Field of Dreams, "If you build good content, they will come."

Tablets, Free Software, and You

Tablets are the current 'big thing' in computing devices -- so much so, in fact, that many believe tablets will replace most of the uses of laptops and desktops.  This aligns closely with the trend to put "everything" on the web.  While making everything browser-based certainly has its conveniences, it also has risks.

Users are continually placing their privacy and their data in the hands of others, while ignoring the risks posed by these actions.  Look, for example, at the terms of service and software licenses associated with the iPad.  Apple can remotely "kill" software on your iPad.  If that software was storing your data, too bad, it's gone.

What if all your images are stored in a "cloud storage" solution and your provider suddenly decides to increase rates (or decrease your free storage quota)?  Will you pay whatever it takes to get your images back?  How about your email, the videos of your children, or your personal documents?

I'm sure you believe that this won't happen, or that you can just move your data.  If you believe this, take a look at where your data is stored today.  Do you use Microsoft Outlook archives?  I hope you'll never want to load the archive files when you don't have access to Outlook.

While Richard Stallman has pointed out that even Android, based on the open source Linux kernel, probably does not qualify as free software, that's probably not nearly as important as whether or not your data is free.  Even if you chose to use proprietary software, keeping your data free and open lets you move it when you need it.

Tablets and cloud services are two sides of the same coin -- while they might be convenient in the short term, their true costs are well hidden.  For the ease of use, you are giving up substantial amounts of control.  Maybe this is something you're okay with, but you shouldn't be.  I'm not.  Users of the iPad and iPhone routinely "jailbreak" their devices to wrestle some control of their device back.  Why buy a device that requires circumventing the license agreement to use how you want it?  Demand open devices.

Use open, standardized formats that are not encumbered by patents.  Make sure you have access to your data -- its best if you keep your data somewhere to yourself (your own computer, flash drive, or other device).  Don't let companies who care only about their bottom dollar tell you what you can do with your data.

Take control of your devices, take control of your software, and most importantly, take control of your data.