whitehouse.gov

Earlier this month, the Executive Office of the President of the United States of America relaunched their website, Whitehouse.gov, using Drupal. This week three members of the White House new media team presented at the Washington, DC Drupal users group. New media director Macon Phillips, deputy director of technology David Cole, and creative director Nik Lo Bue talked about their use of Drupal.

In this video, Macon Phillips addresses how they want to create opportunities for citizens to participate in their government. David Cole talks about why they wanted to change their technology platform, what they actually built, and where they are going with that new platform. Nik Lo Bue addresses how he wanted to use an amazing brand experience to visually communicate with citizens using Drupal.

White House New Media Team on Using Drupal

Comments

rivena’s picture

That is so awesome.

Anisa.

PC Pro Schools’s picture

It is awesome. That's like the best word to use when describing this. This move by the government just goes to show how stable and secure Drupal is.

Awesome score with this one, Drupal. Good job!

GiorgosK’s picture

Yeay
Great news to see government using open source and especially drupal

aniediudo’s picture

This is simply amazing and a BIG BIG testimonial for Drupal & Open Source. I'm working on getting organizations & institutions migrate to Drupal here in Nigeria. With this, making a case is gonna be real easy...

Nigeria’s picture

Who you having success with so far?

Ade Atobatele

aniediudo’s picture

Cool to find out you've been active on the Drupal community. Noticed the nigeriadotcom site was Drupal & I was impressed & looking forward to meeting you. You can reach me on codeweavernaija@gmail.com. There are a couple of issues we can collaborate on i guess.

JohnForsythe’s picture

Getting whitehouse.gov is a huge win for Drupal. I think this will convince a lot of people who were on the fence. All those "top x sites running on Drupal" lists have a new #1 to add. :)

Great video, too.

nmridul’s picture

Awesome. This will give a boost to Drupal's image among developers.

--
http://clipped.in - Latest Indian blogs

jcmwebs’s picture

Such news is further proof that drupal users/developers are on the right track. Any idea if the top area (switching between 1 2 3 4) is a module or a custom built script?

petreej’s picture

I think this is the dynamic display block module
http://drupal.org/project/ddblock

-Pete

bfajen’s picture

My company works almost entirely with associations and other non-profits. This community will benefit enormously from this announcement and the engagement of the development team of Whitehouse.gov!

chosig’s picture

Not to be overly evanglic and all, but for me the loading time of that site is now about 1/10 of what it used to be, but that could be just me.

davydog’s picture

Shines a much appreciated spotlight on the open source community.

-
dave myers
portland, oregon

adelval’s picture

Hi,

First of all, congratulations! Drupal was recommended to me recently and I expect to become a new user of the system. I've been asked to justify my choice, and this makes it really easy :-) without getting into tedious feature-by-feature comparisons of a dozen CMSs.

I'd like however to make a request. The audio quality is pretty bad, there's a lot of background noise, and even though I lived for 7 years in California, I have a hard time understanding it (I'm not a native English speaker). Would it be possible to add English subtitles to the video? I think that would be very helpful in extending Drupal in non-English speaking countries.

Al

aydos’s picture

i agree with that... (i didnt live (long time) outside my country at all)

robertDouglass’s picture

Kent Bye at Lullabot has provided very good written coverage of the video. It's not the same a subtitles, but his article is so complete you won't miss any of the details. http://www.lullabot.com/blog/white-houses-open-source-plans-previewed-dr...

my Drupal book | Twitter | Director, Product Operations Commerce Guys

JayNL’s picture

sad write-up. Don't publish such a tiny article just because the community wants it... Sorry, but for the single most appreciated milestone ever in the history of the Drop, this is just sad...

fletchgqc’s picture

Jay, why don't you do some research into the story and write up some more text yourself. If you send it to Amazon he'll surely publish it. He's quite a nice guy.

JayNL’s picture

I wish I had the time. It'd be quite an honor to write it, but I assume emailing webmaster@whitehouse.gov, asking if they used Views and Panels, won't lead anywhere because they probably don't answer :)

I have no clue where to start...

giorgio79’s picture

This certainly seals the future of Drupal. I am glad I made the choice two years ago. Kind of like buying into a stock with a great potential, and seeing it blossom in the end. :)

tfleming’s picture

As a new user of Drupal, I was initially thrilled to hear of this decision for many of the reasons noted above. As I began to use the tool developed for us by a DC Drupal firm, it become increasingly more difficult to understand how decisions were made by the multiple developers involved in its creation-themes were off if done at all, layout of edit nodes were different from node to node, various functionalities or fixes overrode each other unpredictably. Shortly thereafter, I came across this critique of the White House's decision to go with Drupal in Slate.

http://www.slate.com/id/2233719/

Understanding this is of course the Drupal.org community, I'd be interested in a sincere feedback on this take, particularly the last bullet point, which characterized well those at the firm we employed. Also, does anymore have more information on the decision by Recovery.gov to bring in a private contractor to rework their site, yet the White House deciding to proceed with a Drupal platform nonetheless?

pkiff’s picture

There have been several postings elsewhere in response to Chris Wilson's critique in Slate of whitehouse.gov's move to Drupal. Perhaps the most freqiuently cited response is from Conor McNamara, who is misquoted in the Slate article:

Messenger's Error(s): Chris Wilson's flawed rant about Drupal and whitehouse.gov:
http://www.databasepublish.com/blog/messengers-errors-chris-wilsons-flaw...

I personally find that McNamara makes some good points, but misses others.

You might also look at:

Correcting Drupal FUD (by MikeKeran):
http://mikekeran.com/correcting-drupal-fud

I'd be curious to know if the folks who actually worked on whitehouse.gov have anything to add. And I'd also be interested in hearing their take on the decision to use SharePoint for recovery.org. But I expect that those projects were entirely separate and the decisions about CMSes probably had to do with the specific circumstances, requirements, budgets, and timelines of each one.

Regarding the "last bullet point" you are wondering about: you mean Wilson's claim that "Drupal is righteous"? Well, I think I can respond to that myself. Drupal is simply software that has built up a strong community around it. There are certainly evangelists and proselytizers for Drupal, just as there are for any good software. But if something about that community, or a part of that community bothers you, then just ignore that part and move on, there is nothing "righteous" about the software itself. If you are uncomfortable with the attitude of the staff at the firm you hired, then next time you hire someone be sure to include appropriate attitude as part of your hiring criteria -- though it sounds like your problems are more with the product the firm delivered than with their attitude. Don't forget, however, that those "evangelists" that Wilson derides are sometimes the very same people who will reach out across the internet to help out strangers, for free, in the middle of the night. Or who will code away for hours and hours in their free time so that others can benefit. Also realize that there are also lots of people who simply use Drupal as a tool like any other, who work with many different CMSes depending on what suits the job, and who are working with Drupal simply because it does its job so well.

Phil.

giorgio79’s picture

As I was reading the Slate article, I was thinking to myself, that the writer is a whiner. He needs to stand up from his computer a bit and smell the roses to get a bit of cleanness and freshness in his mind. :D

Why?

If you dont like something about Drupal, than you have the power to change it.

1. Submit a feature request
2. Write some code and submit it as a patch or as a new module
3. Pay someone to do #2 for you.

That simple.

giorgio79’s picture

I found another critique though that seems to be more thoughtful than the one at Slate:

http://ha.ckers.org/blog/20091025/whitehouse-drupal-and-the-open-source-...

"how is a locked down highly customized variant of Drupal different than a proprietary solution?" He says that whitehouse.gov is certainly not using the Drupal you and I can download at drupal.org :) I guess those who work on it know better, maybe they will comment.

Although I assume many of the security improvements, if there were any on the code itself, will eventually be committed to Drupal as well since it is open source, so again, that is all the better for Drupal.

pkiff’s picture

Well, I'm certainly not the best person to comment on security in Drupal, but in the absence of a more informed view, I might as well respond to this other critique as well. I honestly don't think that the argument put forward by "RSnake" on ha.ckers.org is particularly strong. A review of the comments to RSnake's blog covers most of the reasons why.

As far as I can tell, most of what RSnake claims is based on a blind guess about the nature how whitehouse.gov uses Drupal and the nature of security implemented on whitehouse.gov. RSnake may be some l33t hacker in some hacker community somewhere, and I have no doubt he knows a good deal more than I do about hacking, but I still think that RSnake is simply guessing wrong about the way whitehouse.gov uses Drupal. And if he's not outright wrong, then he is still wrong about the basics of how a professional developer would go about securing Drupal further while leveraging its open source qualities.

My impression is that Drupal is indeed pretty secure, and I don't see anything in RSnake's critique that counters that. And I personally would be surprised to discover that the whitehouse.gov installation is really some totally reworked custom solution. What would be the point? The whole point of using Drupal is to be able to take advantage of the contributions and improvements made by the community so that you can then concentrate your customization efforts on other things without having to worry about the basic nuts and bolts. Even a non-security person like myself is aware that there are many things you can do to secure a Drupal-based site that are based on server configurations and systems infrastructure and that don't (and shouldn't!) really require radical changes to any core Drupal code. Besides, if the whitehouse.gov folks made changes to Drupal, wouldn't the best way to make those changes be to do them in a way that worked with the modular coding style on which Drupal operates? Wouldn't you then still be able to make use of huge swaths of code that were part of the basic off-the-shelf package that Drupal provides to regular users?

In the video posted by the whitehouse.gov folks, they specifically credit the Drupal community in DC, they note that they are using code created by the Drupal community, and that most of the site comes from off the shelf modules. I don't see why that wouldn't be the case, and that basically counters the basis for RSnake's whole argument.

Phil.

yautja_cetanu’s picture

RSnake didn't counter your impression that it is indeed pretty secure. He says,

"Look, if you were talking about vulnerabilities per line of code or something, I may get on board with that statement, but that’s just not how the real world works."

What he is talking about is an intrinsic insecurity in using code that is freely available. Lets imagine for example that Drupal is the single most secure peice of software in the world and there is only one security flaw (in fact only one bug in the entire piece of software) and it hasn't been found yet (And so the issue queue is entirely made up of feature requests).

You would be right to say that Drupal was secure. It is also more secure then any priopriety software that exists or could be written by an in-house team. However, with Rsnakes reasoning it still would not be secure enough. What he is saying is that if an in-house team wrote a piece of software with one security flaw. It would be very difficult to find because if a hacker tried to exploit the website the people hosting the government website would find out that people are making attempts and come down on them (Find IP address etc). But with drupal even with its single security flaw, they would just have to sit there on their own, without even being connected to the internet looking for the security flaw. Once they have found it there is a high chance the same flaw will be on whitehouse.gov

And so there will always be, intrinsically a security problem with open-source software.

What whitehouse.gov developers seem to be saying is that this is balanced out by the fact there are loads of hackers on your side in the drupal community also looking for those flaws and trying to fix them. Whereas with in-house software you have to rely on your much smaller in-house team. Therefore overall Drupal might be more secure.

But we can't ignore Rsnakes criticism

pkiff’s picture

Well...I think you are pointing to a fairly well-trodden debate about whether the advantages of "security through obscurity" outweigh the extra security advantages that one achieves by having a community of hackers working on your code and making it available through open source policies. There is considerable debate about that question. Rsnake only partly lays out the framework of that argument, and I don't think Rsnake adds anything substantive to what others have already said about it. His core argument isn't actually about that, and indeed, I think he more or less assumes that security through obscurity is best when it comes to a CMS because of his argument about the possibility of being able to "pen-test" it without visiting the site itself. And he infers that therefore the whitehouse.gov developers will have rewritten significant parts of the Drupal core code in order to make it more secure. My argument is that his assumption is wrong.

What you are calling an "instrinsic" security problem with all open source software, I would identify as simply the context within which one uses open source software. And while I'm not a specialist in this area, my impression is that whether security through obscurity is more secure than open source practices depends heavily on one's specific deployment, and in the case of the Whitehouse, both methods could be employed at different layers of code.

One of my main points earlier is the suggestion that Drupal is not the entire system of security available to the designers of the White House website: there are layers of security available. Take the web server, for example. An obvious security mechanism would be to configure the server software to restrict access from anyone trying to go in and edit the whitehouse website from an external computer. Or to make editing the live site actually impossible, and only allow editing of a second, duplicate "staging" site, and then restrict who is able to access the files necessary to upload the site to the production server. I'm sure there are lots of techniques like this: I'm not a security person, but these are two examples that I can understand and describe as concepts.

What I'm suggesting makes Drupal nice in this context is that it has been coded in such a way that it will integrate well with whatever other methods of security your web team decides to deploy, precisely because of its much vaunted "modular" coding practices and because security is something that Drupal developers have been thinking carefully about since day one. That doesn't mean that Drupal doesn't have critical security flaws that are exposed briefly before patches get written: custom-built code will also have its share of critical security flaws. It does mean that you use additional layers of security to protect your website so that such flaws don't leave you open to attack, regardless of which approach you use to protect your CMS's code. To take the example of the two server techniques I identify above, I would say that these two techniques will protect your website from hackers much, much, much better and more securely than any kind of customization done to the core CMS code -- be it Drupal or some custom-built version of your own.

When Rsnake says "that's just not how the real world works", he is arguing that Dries's claim is wrong and that the use of Drupal for whitehouse.gov is not evidence that the US government is approaching open source software differently. I think Rsnake doesn't know how the real world works. I think that professional, real world security works something closer to the way that I've described. Code that has a strong history and a strong, active developer commuinity gets used and reused, while code that is new or totally custom-built is treated with suspicion. Unlike Rsnake, I think that the whitehouse.gov folks did not customize or strip away the Drupal core code in a way that significantly departs from the publicly available code that is the same that you or I would download. You don't add security to Drupal by rewriting it, you add security to it by building layers on top of it or around it. There may be some little customizations to the core code here and there, but the basic core code is probably used pretty much as is. I wouldn't think that the whitehouse.gov security team would concentrate on rewriting Drupal code to make it more secure -- they would concentrate on adding additional layers of security to the server environment, to PHP, to Apache, to MySQL, that would lock down Drupal and limit its access. Possibly, there are one or more modules that have been custom-built to create additional security, but that doesn't weaken Dries's argument. That's not ignoring Rsnake's criticism. It is countering it. I honestly don't think that Rsnake knows how skilled, professional developers handle security when they roll out large-scale web platforms, and in particular, I don't think he knows enough about how Drupal is coded or how it works to make the claims he does. I would say that I have only limited knowledge about these things myself, but even with my limited knowledge, I think that I know more about it than this Rsnake character does.

Phil.

andrewblack’s picture

hi.. nice site..
anybody have step by step how to develop it

TIA

dman’s picture

  1. Talk to developmentseed
  2. Give them a government-sized amount of money.
  3. Have a coffee.
Thomasr976’s picture

Sorry that I missed this meeting. The fact that the whitehouse.gov team accomplished this is nothing short of a miracle. That's because the White House and the Office of Managment & Budget usually try to minimize risks. I am sure that many people they had to work with created or tried to create doubt in their minds.

Lets keep in mind that the white house staff were really talking to a friendly audience. But what about the website teams of the approximately 24,000 other Federal Government websites? They are charged with a similar mission see http://www.usa.gov/webcontent/documents/Federal_Web_Managers_WhitePaper.pdf.

Those web site managers can probably grasp the beauty of an Open Source CMS and Drupal quite easily or perhaps have heard some horror stories. (It only takes one!). Even if they get it, the real issue for them is how to overcome the mindsets of people in charge at their agency who may be "risk adverse" to an open source CMS let alone Drupal. They would also want to know more about the practical side of the CMS and how it can address issues that they will face.

The whitehouse.gov team could really help the federal website owners by addressing the following issues and questions that they successfully faced. Wouldn't it be great to see a short paper or at least short presentation on this.

1) The real costs of using Drupal. Sure the software is free, but what about the investment in people to design, implement and finally maintain a Drupal website. Is there a cost saving with Drupal or at least a better benefit to cost ratio in terms of advancing e-govement and reaching out to citizens?

2) How to migrate content into Drupal. Remember, government agencies turnout alot of content- reports, news releases, policies, decisions, etc.

3) The security concerns- how they are handled and can Drupal effectively deal with the Federal Information Security Management Act (FISMA) and other requirements. As a website owner I am routinelly upgrading modules and versions due to the great work of Drupal's Security Team. Glad they are on top of things.

4) Personally Identifiable Infomation (PII)- how did the white house team handle this.

5) Procurement- most federal website managers have to work with large IT contractors. While the CIOs of the federal agencies will have to be convinced about open source, the large IT vendors who provide IT support and services will also have to be on board or at least not plant roadside bombs. Some vendors like IBM and Sun M understand CMS and specifically Drupal. Others will fight it or create a climate of doubt.

6) Legal implications- everything in government has a legal side. i am sure that the white house team had to educate the lawyers and provide some assuances on who currently uses Drupal in the private and non-profit sectors.

ascetic’s picture

that's an awesome drupal site, it would be great if there is a complete case study about it so we can all learn creating a such powerful website :D

lilott8’s picture

Maybe now I can get that job at the White House I have always dreamed of.

mustardman’s picture

As soon as people start fearmongering about security that should IMMEDIATELY raise a red flag. Security is a very popular scapegoat when someone want to trash something or promote their own products/services. 99% of the people reading don't know enough about it to confirm or deny so it's an easy way to try manipulate peoples opinions.

You can claim just about ANYTHING connected to the internet is not secure and it would be very hard to disprove in ways most people could understand. The reality is the only way you can get absolute security is to cut the network cable. Far far too much paranoia about security out there and far too many people with an agenda willing to exploit that.

Thomasr976’s picture

As someone who has two drupal sites and very keen on security, I can vouch for Drupal's security. I also made the point earlier in this thread that security is a concern that will have to be addressed since government staff are always worried about it. In fact, addressing those security concerns should be relatively easy. Here's why.

With Drupal we are not waiting for some corporate bigwig to give the go ahead to release a security patch on a module or feature or for that matter the core versions. In the private sector, that person may have to weigh other matters along with security before releasing a fix. For example, how Wall Street will perceive the problem, what other partners will think, should I delay the release until after i relese my corporate earnings, etc.

With Drupal module maintainers and the Security Team, the focus is where it should be-- on protecting cyber assets. There is also pretty good documentation on how to configure Drupal to reduce threat's etc.

I'm still relatively new to open source and Drupal. That said, I'm impressed with how often that the core and the modules are routinely being upgraded when their are security issues or a performance glitches with code or imcompatibility with another module. It's rather magical that so many people contribute their time and expertise. Sometine the upgrades come rather close together and can be frustrating, but I see that as evidence that if there is a security issue it is going to get addressed and the Drupal Community is going to hear about it.

Finally, if anyone doubt's Drupal's security all they have to do is to subscribe to Drupal's Security Newsletter at http://drupal.org/drupal-6.14. Also the Update Status module which is available in Drupal 5.x and a part of core in Drupal 6.x helps administrators keep track of both core and modules that require updates. If you are still unconvinced, just set up a test site using Drupal 6.x and see how security is integrated into the entire system.

ctientcheu’s picture

Does anyone know how they did the principal menu?

najuk’s picture

nice web site

SmokinJ’s picture

My name is Jacob Luetkemeyer and I am the Secretary for the Missouri Republican Liberty Caucus. I was turned on to Drupal a couple months ago for the same reason. I am running for state representative in my district and I want to increase the communication between the people and their elected officials. I am working on a drupal based site to do this for the Missouri RLC organization. I have programming experience but not much on web developement so the site is still plain but Drupal has really helped me create a site without having to do a lot of programming myself. It would be nice to have a theme developed for these specific types of sites.

Thanks Drupal!

Jacob Luetkemeyer
Candidate for Missouri District 117 Representative
http://www.rlcmo.org

spelzmann’s picture

Wow, this is big news for OS/drupal community.

Elteto’s picture

Just remember, all this enthusiasm is good, but simply because the government USES open source, it does not mean it IS open source. And probably it is a good thing that entities such as the Supreme Court, Congress, and the Senate are NOT wiki pages or user-created revisions. There is a reason we elect qualified, knowledgeable representatives to advocate our interests. The new Whitehouse.gov, however, is a testimony to the current administration's commitment to open source. Now if they started switching to open source servers and desktops everywhere, installed open source office applications, and stored data in open source database management systems, they would save taxpayers even huger amounts of money. Whitehouse.gov is an excellent step in the right direction. A government cannot afford to lock itself into proprietary solutions and accompanying restrictive contracts. Since then-Senator Barack Obama started running for office, Americans have started to care about our nation and government at unprecedented levels. Today's youth is more interested in making our country better for all of us, and the amount of talent out there willing to volunteer is amazing. With expanding implementation of open source, the government opens the doors for more Americans to contribute based on their specialty fields. Legions of volunteers motivated by sense of civic duty will improve government information management infrastructure better than any corporation interested only in the bottom line.

davletico’s picture

¿Donde puedo encontrar el lin para ver ell codigo abierto?

aniediudo’s picture

Cool to find out you've been active on the Drupal community. Noticed the nigeriadotcom site was Drupal & I was impressed & looking forward to meeting you. You can reach me on codeweavernaija@gmail.com. There are a couple of issues we can collaborate on i guess.

concheng’s picture

Do anyone know which theme they use on whilehouse.gov? is it custom made theme or is it available on drupal theme download site?

aiphes’s picture

Great website , but what the module used to make navigation ? look like Mega Drop Down ( http://www.sohtanaka.com/web-design/mega-drop-downs-w-css-jquery/ ), is it a port to drupal ? is it aviable in the module repository ?

thanks

Dev Server Ubuntu 12.04 LAMP PHP 5.3.10 Virtual Box
7 websites powered by drupal 6 - Hosted by OVH and Always Data

GiorgosK’s picture

ronline’s picture

@concheng me too I'm looking for a theme similar to whitehouse.gov.
I found http://www.symphonythemes.com/node/147 , which is a kind of replica for 60$. It has only 2 columns layout and no color scheme. It has a slide show but you can get a free equivalent with Views slideshow: Ddblock => http://drupal.org/project/views_slideshow_ddblock.
I'm going through the http://drupal.org/project/Themes if any of you guys has some links fell free to post it here.

pkiff’s picture

Just noticed that the whitehouse.gov site appears identical in IE6 to how it appears in Firefox and IE 8, including the fancy top menu and the rolling banner at the top. Congrats to whoever got all the CSS to cooperate with you to do that.

Phil.

fallenleaf’s picture

This site used galleria for photos. But why they delete the exif of pictures.

what modules whitehouse used
library of brands

mr.ashishjain’s picture

So, its definitely a milestone in Drupal's success history. Scenarios are changed as development continues. How likely would they continue using that would be interesting to know about..!!