[HacktionLab] Drupocalypse v3 Can it ever stop

Mike Harris mike.harris at xtreamlab.net
Mon Apr 30 10:50:16 UTC 2018

Hi Clara,

Really good points and considerations.  I definitely agree with you, and 
am guilty as charged with regards to agreeing to do some cheap hosting, 
or taking on some crap site, and then a) not charging enough to make it 
sustainable, and b) not being available enough to fix it when it goes 
wrong, or patch it, when something like a Drupalgeddon happens.


On 2018-04-27 10:24, clara wrote:
> Hi,
> The reason why two security updates came after each other like that was
> in fact to protect those sites that would be patched straight away.
> The security team could have straight away made a patch that would have
> fixed everything - but that would also directly point to the 
> vulnerability.
> When they released the first patch, the issue was something that could
> be exploited - but for which (as far as they knew) there weren't any
> exploits out.
> And when an exploit came out they straight away released the second 
> patch.
> So that means sites where the maintainers are swamped with work got an
> extra 3 weeks that kept them safer.
> The problem is not Drupal - it's the fact that any dynamical generated
> site does need maintenance.
> Even with Wordpress' auto-update, there are still plenty of Wordpress
> sites that are now hacked to mine bitcoins.
> If somebody doesn't have time or money to ensure that their site is
> update then there are several options.
> 1) Ask yourself before you build the site what you actually need and
> what you can maintain or have somebody else maintain for you. If you
> can't have it maintained and don't need the functionality, then use a
> dynamically generated site (neither Drupal, nor Wordpress nor anything
> like that), use a static site generator.
> 2) Use a shared hosting like Mayfirst collective or Pantheon or so if
> you want it more commercial. They usually provide the core updates.
> 3) Pay for a service that does the updates. Dropguard costs about 9€ a
> month to do that, and there some are others as well. Don't expect 
> others
> to save you and your site out of the goodness of their heart - at least
> not repeatedly or without having agreed on that.
> And the point that interest me most:
> 4) Build a network to share the skills and the work. I could have 
> easily
> patched a few more sites while I was on it. And I would also be happy 
> to
> know that there are trusted people around who have the needed access to
> a machine in case I'm travelling on Wednesday.
> In solidarity
> clara
> _______________________________________________
> HacktionLab mailing list
> HacktionLab at lists.aktivix.org
> https://lists.aktivix.org/mailman/listinfo/hacktionlab

Mike Harris
XtreamLab Internet Services Limited
w: https://xtreamlab.net
t: +44 7811 671 893
0: https://mbharris.co.uk/keys/pgp.html

More information about the HacktionLab mailing list