System Overlord

A blog about security engineering, research, and general hacking.

Coming Drupal Trends

Based on Drupalcon last March and Drupalcamp Atlanta this weekend, I've seen some growing trends in Drupal.  While some of them might "already be here" I don't think everyone's doing them yet.  Some of them apply to web development in general, while others are more specific to Drupal.

Adaptive Web Design

We all know mobile is here and is going to stay.  However, the days of 23-30 inch monitors aren't over.  Making something that is highly usable on both ends requires adapting to the user's platform (hence adaptive design).  Themes like Omega, AdaptiveTheme, and their derivities are probably going to replace base themes like Zen in order to make things more "adaptive."  It's worth noting that Zen can be adaptive with media queries, but it's not designed for it from the ground up.


I'm sure this will come as a great surprise.  HTML5 is here to stay.  Which, if we're at all lucky, means that Flash will be reserved for those rare cases that need more than HTML5 has.  (Which is not much.)  Maybe we can at least not have whole sites done in Flash.  The downside of this is likely to look something like the days of <blink> and <marquee>.  People (most of whom are management, not designers or developers) will be asking for the "whizzbang" of HTML5.  Please, resist the urge to implement things "because you can."

Opcode Caches

Let's be honest: Drupal 7 is not lightweight.  I've just developed a site for a client that is hosted on Dreamhost, and we're running into memory troubles.  (In particular, the new UI for Tokens is a killer.)  While opcode caches like APC and XCache don't fix that, they do eliminate or reduce the need to parse and compile the source for every php file on your site, be it Drupal core or contrib.  (Note that eval'ed code cannot be cached.)

Horizontal Scaling

More and more, Drupal is being used for high-traffic websites.  While Boost, APC, and core caching help a lot, if your site has a lot of logged-in traffic, they can only do so much.  You can scale vertically, but there's a limit to how big a server you can buy, and vertical scaling doesn't give you any redundancy.  While horizontally scaling your web servers is (comparatively) easy -- buy a few web servers and point a load balancer at them -- the database servers are harder to scale.  Drupal 7 has added some ability to have master/slave servers to distribute read load, but I hope we'll see more work towards support for full clusters of DB servers where you can even distribute the writes.

More Distributions

Just like Linux, Drupal comes in distributions.  There's the core Drupal distribution, but there's also OpenPublish, OpenPublic, COD (Conference-Organizing Distribution), and OpenScholar, among others.  Check them all out at Drupal Distro Watch.


If you're not already using Drush, you're doing it wrong.  Drush makes things like enabling/disabling modules, updating modules, executing cron, getting to a SQL shell, etc. so much easier than going through the web interface.  Plus drush itself is scriptable and extensible.  Oh, and you can do aliases for whole groups of sites (awesome for security patches).


What are your predictions for the up and coming Drupal (and web development) trends?

I have the coolest wife...

I have the coolest wife because, although today is our first anniversary, she not only allowed, but encouraged, me to attend DrupalCamp Atlanta.  Hopefully I learn something useful.  :)

I love her very much... and I'm not just saying that because she reads this blog.

(Oh, and don't worry, we'll be spending the evening together.)

Customizing Built-in Strings in Drupal

At work, we had a situation where one of the strings built in to the Drupal User Interface made things somewhat confusing.  By default, 'Enter your sitename username.' is displayed beneath the username box on the login form.  However, we use a centralized authentication system called 'NetID', so this prompt was confusing to some users.

One of my coworkers had received the request from the user to change this text to "Please enter your KSU NetID."  His first thought was to create a subtheme of our base theme and modify a .tpl.php.  (It turns out this isn't even directly possible, you have to register a special .tpl.php handler first.)  My first thought was hook_form_alter, but after a moment, I realized that was overkill for the task of changing a single string.  I recalled that before we had used locale settings to modify strings being output, so I wondered if we couldn't do that here as well.  The first step was to find the raw string, before any processing.

I grepped through user.module for "Enter your" and found that the string was 'Enter your @s username.'  I then opened settings.php and went to the bottom, where there was an array that looked something like this:

# $conf['locale_custom_strings_en'] = array(
#   'forum'      => 'Discussion board',
#   '@count min' => '@count minutes',
# );

To make the change we needed, I set it up as:

$conf['locale_custom_strings_en'] = array(
  'Enter your @s username.' => 'Please enter your KSU NetID.',

Drupal 7

The same thing can be achieved on Drupal 7 in settings.php, but the format of the array has changed slightly:

# $conf['locale_custom_strings_en'][''] = array(
#   'forum'      => 'Discussion board',
#   '@count min' => '@count minutes',
# );

I did it for the data...

Prior to about 2005, if you had something to say online, you built your own website and said it there.  And so the web was like a chain of small islands, each led by their own leader (the owner of the site), with browsers hopping from island to island.  Sure, there were travel agents (search engines) to help you find which island (website) you wanted to visit, but for the most part, each site was run independently and had its own way of doing things.

You could have your own website through a variety of sources -- many ISPs and most colleges and universities offered web accounts to their members/students.  Additionally, in 1995, Geocities was founded, providing free web hosting to anyone who wanted it.  Geocities even offered a WYSIWYG (What You See Is What You Get) editor for websites, so this allowed almost anyone to post their own website, even in the late 90s.

In 2004, Mark Zuckerberg launched "The Facebook" (now known simply as Facebook).  At first, it wasn't a big deal -- it was limited to college students at a handful of universities.  As the number of universites grew, so did the demand for accounts for the general public, and so, on September 26, 2006, Facebook opened its doors to anyone with a valid email address and the ability to pick a birth date more than 13 years prior to their registration.  People ran to Facebook because it was the "cool thing to do," and by 2009, Facebook was cash-positive, and today there are some 800 million users of Facebook, which means that about 12.5% of the world population is on Facebook.  This is mostly interesting because there are about 2 billion internet users worldwide, meaning Facebook has a market penetration of about 40%.

So, in 2006, this new service called Twitter came on the scene.  Twitter was interesting mostly because it was the first "microblogging" service to really gain traction.  Twitter posts are limited to 140 characters in length, which makes the success of microblogging rather interesting -- who would have thought that anyone could say anything interesting in 140 characters?  (Of course, many would argue that most of what is posted on Twitter is not worth the 140 bytes required to store it, but that's another matter.)  And, much like Facebook, as Twitter gained momentum, its numbers rose steeply.  Today, there are 200 million users on Twitter posting 200 million "tweets" per day.

So we've seen that users have been running to these services like an oasis in the desert, and similar things are happening to email, at least for personal email accounts.  First everyone had a Yahoo! or Hotmail email account, but when Google announced email with 1GB of storage, many people moved to Gmail.  Even today, most of the personal email addresses are associated with one of those 3 services.

It's not just the users who are centralizing, either.  Service providers are looking towards these free tools too, without a thought as to the motivations behind the companies offering the tools.  Take, for example, Google Analytics.  49.5% of the top million websites use Google Analytics.  How about Disqus, where 13 million users post in over 500,000 communities?

Obviously, these service providers require money to maintain their services, let alone to turn a profit.  Facebook, Twitter, Gmail, Google Analytics, and Disqus surely aren't providing services out of the goodness of their heart or some sense of corporate altruism.  They're not charging their users (except for some premium services).  So what's in it for them?


Google gets a peak at the users of 50% of the world's busiest websites and a healthy percentage of e-mail traffic as either a sender or recipient.  Facebook and Twitter get a snapshot into the lives of hundreds of millions of individuals, seeing a cross-section of human behavior on a scale never before imagined.  Disqus gets to see what people are talking about and where they're talking about it.

Who might be interested in this data?  Well, first and foremost, I suspect marketers would like to know a lot about this.  Who's discussing fashion, technology, or business?  Maybe executives would like to know how many people are talking about their company -- or their competitors.  And just perhaps, less-than-friendly governments (left to the interpretation of the reader) would like a peak at what people are talking about, or even the easy ability to shut down the now-recentralized lines of communications among the people in their country.  Look at efforts by Egypt and Syria to shut down access to these tools during their revolutions.

I'm not saying these services are bad.  I use many of them myself.  I have a presence on Facebook, on Twitter, a GMail account, and I use Google Analytics to help me better understand my audience.  I do it because I make a conscious decision about what data I place where, and how I handle my personal information.  I choose the benefits of the service against the privacy tradeoffs.  We all make compromises, every day.  I just want you to stop and think for a few seconds before you sign up for the next big service: "What am I giving them?  What do they get out of this?  What do I get out of this?"

The US Day of Rage

For those who have missed it, (and since the mainstream media is more or less ignoring it, you probably have) there's currently a large number of people protesting against the increasing social inequality in the United States. There are thousands of people protesting on Wall Street and the rest of Manhattan, protesters in Chicago, and protesters in other major cities.

Much of the movement was spawned by a movement for the "US Day of Range". Some of this movement was spawned by a group called US Uncut, whose primary goal was to highlight that the largest banks in the country pay less in income taxes than most of the individual taxpayers in this country. Some of this movement has spawned out of the group "Anonymous", which seems to be a loose-knit group of individuals that may have some common foundations. Others seem to have just joined as the movement reached critical mass, identifying only with the core views of the Occupy Wall Street movement.

These groups have come together in order to demand that the government protect individuals rights and recognizes that the people of the United States must come before the desires of big business. Congress must take steps to halt the progression we have towards a two-class society: rich management riding the backs of the under- and un-employed. With our current trend, we will quickly be eclipsed by the societies of China, India, and other states.

Anonymous has done many things I don't agree with. I don't support the Anti-Sec movement, and I don't believe that hacking servers, leaking information, or defacing websites is a productive activity. I do believe in peaceful protest, in the 1st amendment right to petition the government for a redress of grievances. Most of the activities associated with the Occupy Wall Street are protected 1st Amendment activities.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

A week and a half ago, only 12% of Americans approved of the job being done by Congress. Police Officers in New York are assaulting and battering peaceful protestors with chemical weapons. How much more of the status quo are the people of America prepared to stand?

I can only hope that the change here will come about through informed discourse, peaceful protest, and democratic processes. In Syria, Egypt, and Libya, we have seen less peaceful revolutions when the people of those states reached a tipping point. Civil disputes in this country have a long history -- whether it was the civil rights movement or the civil war. Out of the latter, we got the Gettysburg Address with its timeless words "government of the people, by the people, for the people." We must return to government of the people, by the people, and for the people before American society is destroyed.