An Event Apart and Drupageddon

Wednesday, November 12, 2014


Leadership team officer elections are held twice a year (Dec. and Jun.). In December, Co-chair and Website Developer are up for election. Nominations are now open. You may nominate yourself or someone else (with their permission). See the charter (PDF)  for duties of the officers. Current officers—Co-chair , Mark Harmon, and Web Developer, Jonathan Santos—have not indicated if they will run again.

Web branding update: Meetings are every Friday. Email Tom Bourgeois ( or Barrett Baffert ( if you want to participate and have a voice in the outcome. There are three working groups: Digital Assets group is working on creating assets that developers can use for their sites. They’ve made some progress in setting up a structure for the assets but are still waiting on the annotated design PSD from External Relations. UX and Quality of Brand group is working on defining audiences and have done some preliminary user testing on the most recent (but not final) version of the header. Barrett was very receptive to feedback from user testing on any component. Project Management (Governance and Implementation) group is working on a survey to go out to as many web developers on campus as possible to get be sure we have a complete and accurate picture of audiences and high-level use cases.

Website awards: Nominations are still open until 5 p.m., Friday, Nov. 21 (just like Open Enrollment). Voting opens on Monday, Nov. 24 and continues until 5 p.m. Friday, Dec. 5. Awards will be presented at the December meeting.

Presentation: An Event Apart

by Mark Fischer

"An Event Apart" is a design conference for people who make websites. I consider myself a programmer. But on every website I build I am the designer (there’s just me).

What do we think of as design? Design = decision-making, not just graphics. Design is how it works, not just how it looks.

Themes: Accessibility, Mobile-Mobile-Mobile, Context, Copy (all the words), Data & Research, Mad Libs


  • A lot of people included accessibility in their presentations.
  • Jeffery Zeldman: “Google is the biggest blind user.” Google is just starting to parse CSS and JavaScript.
  • Benefits of coding for accessibility include, SEO, increasing reach, and future-proofing. How many sites we make today w/ work on tomorrow’s devices? Follow standards: HTML is accessible by default. Early websites still work really well on phones. It’s our design decisions break accessibility.
  • Eathan Marcotte: developing world. 60% on 2G networks with phones from early 2000s. This is where the growth is. If we build for accessibility and progressive enhancement our applications will work everywhere.
  • Technology failing can be more of an issue than lack of technology support. UK government site study showed 1.1% of users didn’t get the JavaScript version. Of those only 0.2% had JavaScript disabled; 0.9% experienced a failure.

Mobile, Mobile, Mobile

  • Content first, mobile first with progressive enhancement. Focus on the baseline experience.
  • Web pages don’t have to look the same in every browser.
  • Mobile/tablet sales three times desktop sales.
  • I need to stop thinking about what this looks like on my desktop and start thinking about how it will look on a phone.


  • What’s the person using your site doing? What’s the time of day, time of year, their location/environment.
  • Prestaging changes for differing user priorities through time (e.g., different event site content highlighted before, during, and after event).
  • What’s the user state of mind? Tone of content should take that into account. Users are probably frustrated when they get an error message. We probably shouldn’t be snarky.
  • Eric Meyer: What we imagine users’ context is vs. what their context really is. We think they’re alone, relaxed, and happy. They are probably with others, distracted, busy, and frustrated. What helps them get in, get what they need, and get out? What about people who are in a crisis or aren’t capable of understanding something complicated? Testing methods for site use in a crisis: apply a CSS blur filter or animation and ask users if they can locate the most important thing on a page.

Research and Data

  • Analytics: Focus on data that helps you make decisions, not vanity metrics. You can collect as much data as you want but don’t spend a lot of time on it unless you are using it to answer a question or make a decision.
  • Content as data.
    • Think about content in terms of use and reuse.
    • Marked up content blobs cannot be repurposed easily. Once content providers use rich text editors to do fancy things with content you can’t do much else with it.
    • PDFs are downloaded by almost no one and they are difficult to make accessible and repurpose.
    • It may be better to have more content types in your CMS with more specific fields that can be presented as needed in various devices and contexts.
    • NPR doesn’t allow direct end-user access to their CMS. Web applications get content from CMS and handle all presentation as appropriate for target devices.
  • Collaboration: Best ideas exist between people, not inside one person. File sharing and repositories (or other tools) are not collaboration.

Great Ideas

  • For meetings use a visual agenda with proportional areas for time to be spent on different items (like a clock or pie chart). Plan meetings around decisions, not people.
  • Bad design happens when people don’t care.
  • As soon as you tell someone they are wrong they will stop listening. Tell them how it will help them.
  • Mad libs as a way to create copy or define use cases.

These are the high level concepts. I could do another complete presentation on technical details. If you get a chance, go!

Q: How did the UK site determine the percentage of users JavaScript failed for?
A: They didn’t go into that but the full report is online. I’ll send out the link on the listserv.

Q: How would you design for the users emotional state if you don't know what that is?
A: That wasn't discussed in any detail. Design for crisis as a baseline experience. Determine what is the MOST important thing.
Comment from the audience: You can make inferences: e.g. for an airline site, you could assume that a significant number of mobile users are in the airport and just had their flight cancelled.


Druapgeddon is a highly critical security vulnerability in Drupal 7. It doesn NOT affect Drupal 6. It was announced along with an a patch on October 15. One week later it was announced that sites that had not been patched within 7 hours are likely to have been compromised and that the nature of the vulnerability means that detection of the compromise could be difficult or impossible. Later information suggests sites not patched within 3 hours of the October 15 announcement could be compromised.

Recommendations for sites not patched within 3 hours is to completely rebuild the server and roll sites back to October 14 and the apply the update. The update is one line of code and no database changes are required.

If you are responsible for maintaining a Drupal site, subscribe to security alerts. If you aren’t responsible find out who is and make sure they are subscribed.

Some units have found administrator accounts that didn’t belong and that had old creation dates so they were at the bottom of the list. Other people report random php files in the root or other locations.

There are no plans to rebuild the W6 server. W6 is set up such that If one site is compromised others won’t be affected. Owners of sites on W6 are responsible for their own updates.

Some units have rebuilt their servers, others have just rolled back, and others are only doing increased monitoring for changes. You may also want to run a Qualys scan.

If you allow non-CAS logins, all passwords should be changed. If you only allow CAS logins, make sure that access to the Drupal login has been completely disabled. Margrit McIntosh as developed a custom Login_override module that will do this; contact Margrit Mcintosh ( or Ben Emmons ( to get a copy. UITS also blocks user1 account. You may want to change the password that Drupal uses to access the database.

You can find more information at