DrupalCon Dublin is only a few weeks ahead and boy, are we busy with preparations: We’re about to launch our new hosting plans, Jochen is going to give a talk at DevOps Summit, we’ll have our own booth, and there’ll even be a freistilbox party!
With DrupalCon coming right to our front door, we’re going to make as much of this opportunity as possible with a small team.
First of all, we’re going to launch new hosting plans in September. We’ve been working hard to make freistilbox a great hosting platform for all kinds of projects (as long as they’re based on Drupal or WordPress, of course). The feedback we get from prospects and customers tells us that one size doesn’t fit all, though. Young startups and brochure websites have low demands; global brands require massive infrastructure and services. So, where there is today only one kind of freistilbox, there will soon be three!
Would you like to be the first to try our new plans for free?Sign up
We’re also trying our hands at (deep breath…) marketing. Since we’re a company run by techies, we’ve decided to take baby steps onto the DrupalCon business floor. Instead of choosing one of the big sponsor packages that would require us to build and staff a booth for the whole conference, we’ve decided on a “Drupal Love” sponsorship. This way, we can both support the community and have a freistilbox booth on September 27. Let’s have a chat over in the Drupal Village; you really should not miss it!
At the freistilbox booth, you can ask us anything you’d like to know, and we’ll tell you more about the freistilbox Happy Hour! In Ireland, getting together for some savage craic is par for the course. That’s why we’ve booked one of the best pubs in Dublin for 28 September. Sign up and we’ll let you in on the secret location!
Want to arrive early and grab one of our free drink vouchers?Sign up
It’s great to see that DevOps practices have become important enough that DrupalCon now has its own DevOps Summit. And we’re proud to announce that Jochen will give a DevOps Summit presentation on “Developing resiliency under relentless pressure.” While this is a non-technical topic, it’s an enormously important one. In today’s IT organisations with their long backlogs and rapid pace, mental health is an issue we just can’t ignore.
Wow. It’s great fun to announce all these news. But making them happen is going to be a real challenge for our small team. There’s so much stuff we need to get done with only a handful of people. For the new hosting plans, our ops team is working on improvements that will enable us to scale the freistilbox infrastructure faster than ever. At the same time our back office team is getting all the preparations on the sales and marketing side sorted, for example booking the pub, getting drink vouchers printed and preparing gear for the freistilbox booth. We’re many things, but bored isn’t one of them!
Fortunately, the huge efforts we put into systems automation, project management and customer self-service over the last year are finally paying off. Focusing on the important things for us has never been easier than today. And our most important goal is defined in our business vision:
Providing world-class hosting services to customers who mean the world to us.
We’re terribly excited to be a part of DrupalCon, and we hope to meet you in Dublin!
Are you going to be at DrupalCon?Get our updates!
12 Aug 2016
Today Drupal security advisory SA-CORE-2016-003 was published, announcing a highly critical security vulnerability affecting Drupal 8:
Drupal 8 uses the third-party PHP library Guzzle for making server-side HTTP requests. An attacker can provide a proxy server that Guzzle will use. The details of this are explained at https://httpoxy.org.
In order to mitigate this vulnerability, we have applied specific changes to our freistilbox infrastructure. Our Edge Routers will now remove any malicious HTTP header trying to inject external proxy server addresses.
Despite these security improvements in our hosting platform, we recommend that customers upgrade their Drupal 8 web applications as soon as possible. Drupal 8.1.7 is already available and fixes the vulnerable library.
18 Jul 2016
The Drupal Security Team has released Drupal Security Advisory PSA-2016-001 today. They urge Drupal users to update a number of 3rd party Drupal 7 modules immediately when new versions are released on Wednesday, 13 July. Because of possible remote code execution, the advisory classifies the risk level as “Highly Critical”.
There will be multiple releases of Drupal contributed modules on Wednesday July 13th 2016 16:00 UTC that will fix highly critical remote code execution vulnerabilities (risk scores up to 22/25). These contributed modules are used on between 1,000 and 10,000 sites. The Drupal Security Team urges you to reserve time for module updates at that time because exploits are expected to be developed within hours/days. Release announcements will appear at the standard announcement locations.
We highly recommend freistilbox users to check their websites for the affected contrib modules and to update them as quickly as possible.
12 Jul 2016
This week, we’ve relaunched our website with a refreshed design courtesy of our friends at the Palasthotel. When I launched freistil IT back in 2010, I hired Markus (who later joined me as my business partner) to build me a Drupal website. Later, we switched to WordPress. This latest incarnation now is based on Middleman, a static website generator. All the pages are generated locally, uploaded to the web server and delivered as-is. Why did we make this radical change?
There’s a single reason: content creation workflow.
We’re DevOps experts and we’re used to efficient tools and clear worflows. We use our favourite text editors to write code and documentation. We use Git to put everything under version control, to propose changes as pull requests, and to review code before it is released. We use testing frameworks like RSpec and a Continuous Integration process to make sure our work meets our quality standards.
When we encountered Middleman, we asked ourselves: What if we applied the same tools and workflows to our work on web content?
This is the result of this thought process. Our website with all its content is now in a Git repository and every change is reviewed in a pull request before it goes live. This applies to all kinds of changes:
- a new blog post in form of a Markdown file,
- a modification of a HTML layout,
- changes in CSS styling, or
Merging a pull request automatically triggers a CI run which runs RSpec tests on the website source code. These tests make sure we adhere to basic rules and quality standards like “Do all important pages have meta descriptions and keywords?” and “Do all Markdown documents adhere to our style guide?” Only if these “integration tests” are successful, the static site content is deployed to the web for public consumption.
Being able to use the same basic workflow we’ve been using for years in DevOps
now also for content generation makes us much more efficient. No more pasting
HTML code into web forms; just a simple
git push. In a tiny team with heavy
time constraints such as ours, improved efficiency means a lot. Enough to ditch
the powerful dynamic content management systems for something lean and nimble.
We’ve put a lot of work into this relaunch and we’re so happy with the design support we got from Palasthotel (separation of concerns FTW!). The new website will be the platform for many product campaigns, some of which are already in the works. And now that we’ve reduced friction to a minimum, we are determined to crank up the helpful-articles machine. So make sure to watch this space!
04 Jul 2016
We’re at a critical fork in the road in terms of data protection for EU businesses and citizens. Yesterday, the European Parliament debated, and today will vote on, the proposed “Privacy Shield” agreement between the EU and US. Privacy Shield is heavily contested and by many experts regarded as more a fig leaf than a steel piece of armor. In her article in today’s Irish Times, Karlin Lillington calls Privacy Shield a “clumsy replacement for the Safe Harbour agreement”.
One of the most criticised aspects of Privacy Shield is how it addresses the protection of data from secret law enforcement scrutiny in the US, a key issue highlighted in the Schrems case before the European Court of Justice. In this matter, Privacy Shield relies only on US government letters of assurance, which are far distinct from actual changes to law.
Equally weak are the foundations provided for the independence of the proposed US-based ombudsman, who would report to the same US State Department that oversees the US surveillance agencies. Lillington cites European ombudsman Emily O’Reilly expressing her concern in a letter to the EU commissioner responsible for Privacy Shield:
“It would be useful at this stage if you might outline, or reflect on, how these criteria might be reconciled with the fact that the office foreseen in the ‘EU-US Privacy Shield’ would be part of a government department that supervises government agencies… European citizens… have legitimate expectations of the credentials as to the impartiality and independence of such an office.”
A similar concern was raised by the Working Party of EU data protection authorities, which said in April that Privacy Shield still needed considerable work. In “Opinion 01/2016 on the EU–U.S. Privacy Shield draft adequacy decision”, the Working Party (“WP29”) welcomes the establishment of an Ombudsperson as a new redress mechanism but then adds:
“The WP29 is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.”
This has significant consequences on the fundamental rights of EU citizens with regard to data protection:
“Finally, although the WP29 notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals and therefore ineffective.”
The Working Party also finds that key data protection principles as outlined in European law are not adequately addressed in Privacy Shield. This especially applies to the collection of personal data:
“The WP29 however notes that the representations of the U.S. Office of the Director of National Intelligence (ODNI) do not exclude massive and indiscriminate collection of personal data originating from the EU. The WP29 recalls its long-standing position that massive and indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights.”
Businesses who process protected customer data, for example in their web applications, require a solid legal foundation on which they can operate securely. In its current state, Privacy Shield does not seem to provide an adequate implementation.
As a company with the internet at the core of our business model, we at freistil IT believe that raising the bar for data protection will benefit both businesses and individual citizens in the long run. With adequate data protection measures in place, they will be able to navigate, use and expand the digital space with peace of mind. As Lillinton concludes:
“In an age replete with evidence of easy digital surveillance, poor digital security protections for citizen data and enthusiastic bulk data gathering by both businesses and governments, [regulatory barriers] are also essential protections to a vulnerable citizenry.”
Nothing comes for free, though. Putting these protections in place requires a significant effort on both the organisational and the technology level.
In this regard, running your websites on our managed hosting platform freistilbox can become the cornerstone of your data protection strategy. As a PaaS company, we can leverage economies of scale to minimise the cost of these efforts for our customers. That’s why we can offer you world-class hosting for Drupal and WordPress at affordable rates. And this includes full data sovereignty: Our business, our staff and our IT infrastructure are based 100% in the EU, with no ties to US-based entities.
So if you, as a web agency or a website owner, have concerns about providing proper data protection at economically viable cost, you should talk to us.
26 May 2016
The ImageMagick tool suite is a popular solution for the processing and modification of image files in web applications. Many Drupal and WordPress websites use it behind the scenes. On freistilbox, ImageMagick is installed on both the web application and shell login boxes.
On 3 May 2016, a whole list of vulnerabilities in ImageMagick, nicknamed “ImageTragick”, was published. Due to an insufficient sanitisation of command arguments, these vulnerabilities allow attackers to execute arbitrary commands and connect to remote websites.
Immediately after the publication of ImageTragick, the freistilbox operations team implemented a workaround that blocks these exploits. Thanks to our automated system management, this workaround has been installed consistently on all servers that use ImageMagick.
The security of our customers’ websites is our first concern, and we’re doing our best to make sure that you can work efficiently and sleep peacefully.
05 May 2016
New customers often ask us how they can deal with email using their website’s domain. The short answer is: There are a lot of options outside of freistilbox that solve this issue much better than we can.
With freistilbox, we focus on delivering world-class web hosting. Operating an email service is a completely different area of expertise. While we have experience in the setup of email infrastructure, running an email service at the same level of quality as our web hosting platform would require changes that we’re not going to make for the time being.
Just as freistilbox offers a much better web hosting solution than our customers could get by “just setting up a server”, we decided that our customers deserve a better email solution than us “just setting up a server”. That’s why we recommend using third-party services that make email their business focus.
All freistilbox application and shell login boxes are equipped with a Mail Transfer Agent (MTA) that allows your web application to send email. This alone doesn’t guarantee that your emails will be accepted by their recipients, though. If our servers aren’t formally authorised to deliver email in your (domain) name, there’s a high risk they’ll quickly get blacklisted as potential spam sources.
Additional measures like including our servers in your domain’s SPF record can lower that risk. But often still more effort is necessary to ensure your messages will reach their recipients.
That’s why we recommend using a specialised email delivery service in the first place, especially if you’re going to send more email than the occasional registration notice. Here are a few well-known options for transactional and marketing email delivery:
There are Drupal modules and WordPress plugins available that make the integration of these services into your web application easy. If you need any help in setting up email delivery in Drupal or WordPress, just get in touch with our support team.
Despite all the attempts to kill it, email still is much too critical for business communication to just provide it as an add-on service without giving it the focus it deserves. That’s why we don’t support receiving email on freistilbox at all. Instead, we recommend using an email provider such as the following:
Our customers choose freistilbox because we’re good at what we do. It just makes sense to take the same approach with regard to email service providers.
04 May 2016