HomeDepartmentsComputing Services › Migration FAQ

Web Server Migration FAQ

Printer-friendly versionPrinter-friendly versionPDF versionPDF version

Hello CXRO members! As the primary creator of content for this new web site, I (Bob Gunion, rfgunion [at] lbl [dot] gov) suspect there will be some questions about why we should migrate and what it means. So I've created this page to anticipate as many of those questions as I could. I've undoubtedly missed many important ones, though, so please add comments to this page, email me, or stop by my office if you want to discuss any of this further. Let's start the questions...

  1. Why change the existing web site?

    In a word: security. Over the 2008 Thanksgiving weekend, the web site was hacked and the miscreant(s) got root access to the server. Luckily for us, Jay Krous, one of the IT security people at LBL, noticed some strange network traffic within three hours after the system was compromised and shut us down, thereby limiting the damage. The attack was a fairly well-known exploit among web security types, but none of us at CXRO (me, Jeff Gamsby, or Ron T.) was aware of it until after it happened. After we rebuilt the web server from pre-hacked backups and I plugged the known exploit, the LBL security people ran a scan for a series of known exploits before allowing us back on the web. The whole process took about 4 days.

  2. So the existing web site is secure, right?

    Maybe. Today. That may not be the case tomorrow, or a year from now. Among the reasons it may not be secure in the future are:

    • Hackers may learn of new exploits in Apache, PHP, or even Linux
    • We may make changes that inadverdently introduce security holes
  3. Is greater security the ONLY reason to change?

    Emphatically NO!, not even close. We've been investigating ways to improve on the current design for some time, and this is the result of many discussions and false starts. The new technology will make it possible to offer far more services, with far less effort on our part, than would ever be possible with the old system.

  4. How does the new web site address security issues?

    We're switching from a custom-written web site to a content management system. That means we can provide the same services as the old web site in far fewer lines of code written by us, reducing the opportunities for new security holes. The content management system we have chosen is Drupal, an open-source system used on hundreds, or even thousands, of web sites including some big names like AOL's corporate web site, Yahoo Research, Amherst College, and e-Learning Institute. Each web site maintainer has a vested interest in maintaining the security of Drupal, and when a security exploit is discovered it is plugged very quickly and emails are automatically sent out to people like me so that the appropriate patch can be applied immediately.

  5. Great, but hackers are surely using the fact that Drual is open-source to find ways to attack it. Doesn't a custom site provide security just by being custom?

    Yes, it is harder for hackers to exploit a custom web site because they don't know how it works. However, as our recent experience shows, it is still possible. Using a widely deployed solution, which is actively maintained by full-time web developers (of which we don't have any at CXRO - including yours truly), is far more secure.

  6. What features do we have in the old web site, which will not make it into the new one?

    Short answer: none. Long answer: The public web site (http://www.cxro.lbl.gov) will go online with all the features of the old web site; the private web site (https://mymsd.msd.lbl.gov) will take a little longer, but we will not switch over until we have all the existing features implemented. That includes the purchasing database, personnel list, and everything else.

  7. What new features will we get?

    Lots. Adding or changing content will no longer require any knowledge of HTML or PHP, making it much easier for everybody in our group to have the potential to contribute. Drupal will keep track of revisions of pages, so we can easily revert back to an earlier version if we don't like the new one. As you can see on this page, printer-friendly and pdf versions can be provided for any page, without a single line of code from us. Even the parts of the web site that require coding will be far simpler and more secure, so we will be able to add new features far more quickly and with more confidence. There's far more than we can list here; if you are curious, please go to http://drupal.org to learn more.

  8. What if I like the colors/fonts/layout/... of the old web site better?

    We've noticed that issues of presentation can be highly emotional, and we're sure not everybody will be pleased with our design no matter what we do. But we do listen to suggestions and complaints, and when there is consensus that something needs changing (or a strong opinion and nobody else objects) we will address it. We hope you like the new design right out of the box, however; we've tried to make it attractive and professional.

  9. The text and/or images for my beamline/lab suck! How do I change that?

    That's easy! Send me, Ron, or Jeff an email with the changes you'd like, or talk to us directly, and we'll gladly make the changes. In the (very near) future, you'll be able to make those changes yourself, without going through us, simply by logging in and clicking "Edit" on your page.