“E-learning and Digital Cultures” MOOC

I’ve just completed the second week of the “E-learning and Digital Cultures” MOOC, delivered using Coursera by staff from the School of Education.

One reason I took this course was just to experience a MOOC, and the sheer number of participants and their global spread doesn’t disappoint. The discussion boards are kept lively, although social spaces such as Twitter suffer a little from too much noise rather than not enough interest. It seems that the largest group represented are teachers and educators.

Week one looked at the idea of technological determinism, and asked to what extent does technology shape society. A number of short films from popular culture depicted the relationship we have with technology, presented as either desirable and utopian or negative and dystopian.

Continue reading

Twitter Bootstrap

Twitter BootstrapHere in the College web team we have been experimenting recently with building websites using the Twitter Bootstrap toolkit.

Bootstrap offers a very lightweight set of tools (it’s perhaps overkill to call it a ‘framework’) to set up a functional website in a very short space of time, that does everything that you might expect a modern website to do. With it, a website can be created very quickly that offers ‘out-of-the-box’ modern browser-based client-side technologies such as JavaScript jQuery interface components (e.g. navigation toolbars, tabbed or drop-down menus), and conforms to modern web development guidelines and standards such as the use of valid HTML (and HTML 5), CSS, accessibility, SEO and cross-browser support.

In particular, Bootstrap v3.0 offers the ability to easily build a Responsive Web Design (RWD) website so that the same codebase can be used for multiple browser/hardware client platforms of all sizes, including tablets and smartphones, without too much effort.

We’ve also been experimenting with using Bootswatch to theme (fonts, layout, formatting and colours) the default interface template offered by Bootstrap, and using the Drupal v7 Bootstrap module to integrate the functionality of Bootstrap into a Drupal v7 theme. The combination of the server-side PHP/MySQL Drupal Content Management System and the client-side jQuery/CSS Bootstrap toolkit is a very powerful one that allows a relatively sophisticated website to be built very quickly.

Bootstrap fits in very well with a Rapid Application Development (RAD) methodology or even an Agile development methodology. It’s perfect for building functional web prototypes or basic small-scale operational websites, but perhaps its limitations should be recognised – like a lot of WordPress-based websites there is a danger that without some customisation, the website interface can be too much like any other Bootstrap-based website and becomes a boring ‘vanilla’ website. It’s also not really an option if a website is designed to conform to a demanding specification, such as an interface that will feature some groundbreaking functionality or attractive and unique design that perhaps will be used for branding and marketing an organisation or idea.

What is does do though is allow a web developer more time to concentrate on the advanced requirements of developing a website on the server-side without having to worry too much about building a ‘quality’ website on the client-side from scratch for every single project, to gather valuable user feedback at an early stage of development, and it offers a scalable platform for future development and customisation.

Why you shouldn’t reuse passwords

With so many website accounts to keep track of these days, many people are tempted to use one or two passwords that they can remember for lots of different sites. We have heard that it’s dangerous to write down passwords, and of course no-one can store dozens of random strings of characters in their head for websites that they may only visit occasionally. So, having a small number of passwords to reuse across multiple websites can seem like a sensible compromise.

However, this can be a very dangerous practice. It’s impossible to know how securely a website stores your data, and you should always ask what would be the worst case scenario if this information were to get into the wrong hands. There have been countless examples of password lists being leaked (examples include last.fm, eHarmony, LinkedIn, Yahoo!, Phandroid, Writerspace, and Adobe), but often passwords can be stolen without users being any the wiser.

Last week, a vulnerability was found in WHMCS, a billing and support application used by web hosting providers. Potentially, attacks such as this can give hackers control over things such as DNS settings and hosting control panels. In other words, your website itself can be as secure as possible, but hackers can still gain control by extracting your password from other applications.

A good solution is to use software such as KeePass. This allows you to store all your login details in a single encrypted database, so you only need to remember the password for the database, not individual passwords for every website. It also allows you to create much stronger passwords (since you don’t need to remember them), and will even generate them for you. Or if you need access to passwords when out and about, there are versions of KeePass for your phone/tablet.

Some nice WordPress plugins

A few nice WordPress plugins I’ve been using recently:

Better WP Security – A very popular and powerful plugin that takes a range of steps to harden your WordPress installation.

Mail on Update – Emails you to let you know of available plugin updates.

Polylang – Simple and easy to use, it allows you to create a multilingual site (no in-built translation workflows – if you need that try WPML).

Approval Workflow – An easy way to add an Administrator-approval process to your publications.

Blackbox Debug Bar – For plugin developers. It gives useful feedback on SQL queries, page load times, errors, and values of superglobals.

Pure Profiles WordPress plugin – version 1.7

A new version (1.7) of the WordPress plugin for displaying Pure Profiles is now available to download at https://bitbucket.org/gmaxwell/pure-wordpress-plugin/downloads

The WordPress pseudo-cron has been removed, meaning that it now updates the cache using a traditional cron job only. This helps prevent any confusion about when the update will take place. In addition, an authentication key (editable on your Settings page) must be sent with the call. This ensures that the API is not being called maliciously.

There are also some other improvements, such as the use of preferred names, and publications linking to DOIs.

 

WordPress plugin for Pure profiles

The University is using the Pure software to keep track of research activity. The front end for this is the Edinburgh Research Explorer, which allows you to browse the data.

Pure provides an API to the data, and several people in the University have been investigating how to extract and make use of the information. It’s been interesting to see the variety of approaches taken, and it seems that different solutions may be suitable depending on the application. We plan to make use of some of these solutions in our sites. In the HSS Web Team, we’ve been particularly keen to make the information available in WordPress. We use WordPress for several sites and wanted a plugin to give users a nice profile page, automatically generated from the golden copy.

I’ve been working on a WordPress plugin to do this, which is now at a release stage: https://bitbucket.org/gmaxwell/pure-wordpress-plugin

Development decisions

There was a consensus in the University that REST was the best way forward (Pure also provides a SOAP API). I’ve written a couple of REST APIs in the past, and used the PHP cURL library to consume them. However, we recently discovered Guzzle, a library which makes things nice and easy, and abstracts things a little from the PHP cURL library. Guzzle is going to be part of Drupal 8 core, so well worth checking out.

It’s important that the data is cached locally, both to reduce the load on the server, and to ensure fast page load times. Therefore, when the plugin is enabled, it creates several custom WordPress tables. The API is then called periodically and the data stored in these tables until the next time we want to refresh the database.

The source code is available to browse or clone on Bitbucket.

Installation

To use the plugin, you should first download the latest version (currently 1.5) from the downloads page.

You can then go into your WordPress admin area, and Plugins->Add New->Upload to upload the zip file. After installing, click to enable the plugin.

Once the plugin is enabled, you have an additional option under Settings for Pure Profiles.

settings

The first section in the Settings page is Connection Details. This is where the hostname, username and password go. It’s sensible to connect to the beta server to begin with.

connection-details

You can currently specify which people to pull out by specifying the Pure UUID, Employee ID, or a combination of both. You can also specify an organisation’s UUID, to pull out all the people associated with it (to reduce server load, it’s best to do it this way only when you actually need all of the people in that organisation). All of these should be provided as comma separated lists. The system ignores line breaks, which means you can have the UUIDs on separate lines for readability.

parameters

I’ve found the easiest way is to search the Edinburgh Research Explorer for the person you want, and then retrieve their UUID from the URL (between the brackets). It’s also a way of checking that they are actually in Pure!

The next section allows you to specify the time of the cron job to update the database. Note that this is a WordPress pseudo-cron, and is actually triggered the next time the site is accessed. For this reason, it makes sense to set up an actual cron job to call the site shortly after the scheduled WordPress cron. This ensures that the update takes place overnight, rather than being triggered in the morning when someone visits the site.

cron-appearance

There’s also an option to enable Development Mode. This calls the API on every page load. Enabling Development Mode slows the site down significantly and puts an unnecessary load on the Pure server, so it should be avoided, particularly with the live server. However, enabling it after you install the plugin and then disabling it immediately afterwards allows you to populate the database right away, rather than waiting overnight.

Under Appearance, there’s the option of whether or not to use the default stylesheet. The default stylesheet provided with the plugin gives some basic formatting, but these styles can be overridden in your theme’s stylesheet. The generated HTML has lots of classes provided, so there’s a fair amount of flexibility in how you can style the output.

Displaying the data using Shortcodes

Once the plugin has been configured in Settings, and the database has been populated, the next step is to add the shortcode to a page. The plugin adds an extra icon to TinyMCE, which brings up a dialog.

tinymce-dialog

You can then select the person to include from a dropdown list, and optionally hide sections.

tinymce-dialog2

Clicking Create Shortcode inserts the shortcode into the page.

shortcode

Then it’s just a case of saving the page, and the profile appears.

profile profile2

Note that you could have your publications or projects on separate pages, by using multiple shortcodes and hiding the appropriate sections.

Future Development

The plugin is still very much in development. There may be some fields missing, and there’s no paging of publications, for example.

Please feel free to add issues in Bitbucket, make suggestions, etc., and to use it!

 

Free coffee

Web people are hopeless without coffee, apparently, so this perked us up.

Edinburgh Centre for Carbon Innovation cafe

The Edinburgh Centre for Carbon Innovation is looking for a name for its new cafe – and the prize includes 10 free coffees — enough caffeine to wake the medieval knight discovered under their car park.

The shortlist is now

  • Caffeine Capture Cafe

  • Knight’s Table

  • Old School Cafe

  • Sustain

  • The Energy Store

and entries close on the 15 May,  so get on over at vote at:

http://www.edinburghcentre.org/competition.html

Web Application Security – the Role of Users

For IT professionals, security is an integral part of the job. We must keep up-to-date with the latest techniques being used to target sites, and try to stay a step ahead of the hackers. Most developers foster a healthy paranoia about the range of ways that systems could be exploited, and keep it constantly in mind when designing an application, writing the code, and then deploying and updating.

However, there are also steps that users can and should take to prevent their data being compromised. These three important practices will go a long way to ensuring that your data is secure.

1 – Use strong passwords

Brute force attacks are common, such as this recent attack on WordPress sites. This is where a malicious computer program makes multiple attempts to guess a user’s password. If your password is in the dictionary, related to the name of your website, or too short, there’s a good chance that a brute force attack will crack it. Actually, any password can be guessed given enough time, which is why you should also change your password every few months. Creating a strong random password of 10 or more characters and using a mixture of upper and lower case, numbers, and special characters will protect from most attacks.

You should also be aware of other ways in which your password can be vulnerable. For example, using the same password across multiple sites, leaving a written copy lying around, or connecting over unencrypted Wi-Fi (e.g. in an internet cafe).

2 – Keep your browser up-to-date

Part of the job of IT professionals is to ensure that third-party software and plug-ins are kept up-to-date. This is because, as new exploits are discovered, the software vendors will update their products to protect against them. Therefore using older versions leaves users at risk of being hacked through known vulnerabilities.

As a user, you should also ensure that you keep your browser at the latest version. Older browser versions are often insecure, and some have been abandoned by vendors. Keeping your browser current not only means added protection from hackers, but also that you have all the latest bug fixes and features, and that web pages will display as intended by the web designers.

It’s also good practice to keep your operating system updated with the latest fixes.

3 – Be aware of social engineering techniques

Social Engineering techniques involve attempting to trick people in order to gain access to buildings, systems, or data. The most well-known example is phishing which is an attempt to gain information such as usernames, passwords, or credit card details, normally through emails or impersonating a website. However, scammers use a wide range of con tricks, and it’s important to stay informed and alert.

Consequences

Having something hacked can be a stressful experience. As well as potential economic costs, there are reputational costs. Whether it is sensitive data being leaked, your site being downgraded by search engines, or your Facebook account being used to send embarrassing messages, the consequences of lapses in security can suddenly become very real when the worst happens. In the case of a hacked website, it can be virtually impossible to fix, since hackers can install sophisticated software to retain control of the server behind the scenes.

There’s no such thing as 100% security, but by bearing in mind some of the most likely exploits, you can at least mitigate the risk.