Building for the future

This afternoon, we sent the following email to our global team. One of our core values at Cloudflare is transparency, and we believe it's important that you hear this directly from us because it’s a major moment at Cloudflare. 

Team:

We are writing to let you know directly that we’ve made the decision to reduce Cloudflare’s workforce by more than 1,100 employees globally. 

The way we work at Cloudflare has fundamentally changed. We don’t just build and sell AI tools and platforms. We are our own most demanding customer. Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done. That means we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere. 

Today is a hard day. This decision unfortunately means saying goodbye to teammates who have contributed meaningfully to our mission and to building Cloudflare Continue reading

UniFi Network Health Report – Open Source Python Tool (v1.0.0)

If you run a self-hosted Ubiquiti UniFi network — whether it’s a home lab, small business, or multi-site setup — you know the UniFi dashboard is great for real-time monitoring but falls short when you want a clean summary you can save, share, or review later. I built UniFi Network Health Report to fill that...

The post UniFi Network Health Report – Open Source Python Tool (v1.0.0) first appeared on Fryguy's Blog.

How Cloudflare responded to the “Copy Fail” Linux vulnerability

On April 29, 2026, a Linux kernel local privilege escalation vulnerability was publicly disclosed under the name "Copy Fail" (CVE-2026-31431). Cloudflare’s Security and Engineering teams began assessing the vulnerability as soon as it was disclosed. We reviewed the exploit technique, evaluated exposure across our infrastructure, and validated that our existing behavioral detections could identify the exploit pattern within minutes. 

There was no impact to the Cloudflare environment, no customer data was at risk, and no services were disrupted at any point. Read on to learn how our preparedness paid off. 

Background

Our Linux kernel release process

Cloudflare operates a global Linux server infrastructure at an immense scale, with datacenters located across 330 cities. We maintain a custom Linux kernel build based on the community's Long-Term Support (LTS) versions to manage updates effectively at this volume. At any given time, we may utilize multiple LTS versions from various series, such as 6.12 or 6.18, which benefit from extended update periods.

The community regularly merges and releases security and stability updates which trigger an automated job to generate a new internal kernel build approximately every week. These builds undergo testing in our staging data centers to Continue reading

When DNSSEC goes wrong: how we responded to the .de TLD outage

On May 5, 2026, at roughly 19:30 UTC, DENIC, the registry operator for the .de country-code top-level domain (TLD), started publishing incorrect DNSSEC signatures for the .de zone. Any validating DNS resolver receiving these signatures was required by the DNSSEC specification to reject them and return SERVFAIL to clients, including 1.1.1.1, the public DNS resolver operated by Cloudflare.

The country-code top-level domain for Germany, .de, is one of the largest on the Internet. On Cloudflare Radar, it consistently ranks among the most broadly queried TLDs globally. An outage at this level of the DNS hierarchy has the potential to make millions of domains unreachable.

In this post, we’ll walk through what we saw, the impact of these events, and how we applied temporary mitigations while DENIC resolved the issue.

How DNSSEC works

DNSSEC (Domain Name System Security Extensions) adds cryptographic authentication to DNS. When a zone is signed with DNSSEC, each set of records is accompanied by a digital signature known as an RRSIG record that lets a resolver verify the records haven’t been tampered with. Unlike encrypted DNS protocols, such as DNS over TLS (DoT) and DNS over HTTPs (DoH), DNSSEC is about Continue reading

Worth Reading 050626


DDoS mitigation often relies on BGP for “scrubbing”, but how this appears in routing data is not well understood. We analyse five major providers to distinguish between always-on and on-demand protection.

 


This column argues that without AI, adequate privacy has become simply out of reach. This is not because AI is benign; it most definitely is not. Rather, the modern digital ecosystem has evolved to a point where no human, unaided, can understand, monitor, or manage the complexity of today’s data practices.

 


Conventional memory schemes follow the Pareto Principle, in which approximately maintaining 20% hot data can meet 80% of requests. L

 


Google has just forked its Tensor Processing Unit, or TPU, designs for these two workloads, the very first time in more than a decade that TPU systems of the same generation were truly architecturally distinct from each other.

 


Fake domains are not a new problem. What’s now changing is the scale and how easily attackers can blend into your domain ecosystem with lookalikes, inactive registrations, and domains set up purely for email.

Calculating The Kubernetes Integration Tax: What Your DIY Networking Stack Actually Costs

It was 11:47pm on a Thursday night, and a senior platform engineer at a large North American bank was rolling back a ‘simple’ configuration change. The change itself was small, a routine update approved through the usual review process, but when it was applied, pods began cycling and connections started dropping. For the next three seconds, mobile banking sessions already mid-transaction dropped. Customer support lit up. The incident review the next morning spent most of its time arguing about how the change had been approved. Almost no one asked the harder question: why a configuration change in one place broke something seemingly unrelated.

That question rarely gets a clean answer. What looks like a single layer is usually one knot in a stack of five to seven products including a CNI, network policy, service mesh, observability, threat detection and compliance tooling that come from different vendors and were never designed to operate as one system. Each one works. The gaps between them are where the risk, and the cost, lives.

This is just one example of the Kubernetes integration tax.

What is the Kubernetes Integration Tax?

The Kubernetes integration tax is the cumulative cost in engineer time, security exposure, Continue reading

D2D

t's a new space race with a number of satellite operators pushing out LEO satellite services that operate directly to hand-held devices, or D2D.

You cannot sell AI written software

You may have seen it too. This trend of “I wrote some software to solve a problem. I think it’s pretty great. Does anyone have any feedback?”. Maybe it’s a budget app. Or some company management thingy, tracking sales. Or invoicing.

Maybe you take a look. It looks pretty slick. But then you get a feeling of uncanny valley. It’s just not right. Maybe you can’t even put your finger on it.

I’m not an accountant, so when I see some accounting software do something in a different way, it’s interesting. Why is it that way? What can I learn from the fact that a professional thinks it should be this way?

You already know what’s weird about it, if nothing else because of the title of this post. The software works this way because the LLM wrote it that way. There’s no reason. It’s not even wrong.

How do you give “feedback” on that? My feedback would be that you don’t understand the problem you’re trying to solve, and have shown no sign you intend to understand it, so how could you possibly think you can solve it?

You’re not asking for feedback. You’re asking for someone Continue reading

Worth Reading 050426


What can we learn about QUIC deployments just by listening to unsolicited QUIC traffic? This question becomes specifically exciting since QUIC aims for enhanced privacy by obfuscating metadata.

 


Securing AI means securing all the AI layers and throughout the lifecycle: data, model, and applications, in training and in inference.

 


According to a Reuters report, Meta is installing tracking software on its employees’ work computers. The tool, called Model Capability Initiative (MCI), will log mouse movements, clicks, and keystrokes. It will also take occasional screenshots of employees’ screens.

 


Despite its usage, the behaviour of BGP-based scrubbers is not well understood, such as whether scrubbers are always on-path or activated on-demand.

 


The UK’s National Cyber Security Centre (NCSC) has officially endorsed passkeys as the default authentication standard, marking the first time the agency has told consumers to move away from passwords entirely.

SONiC Part II: Deploy a SONiC Switch Clos Topology

 

Introduction

 

This chapter explains how to create and deploy a simple SONiC-based Clos topology in WSL using Containerlab. First, we open VS Code from WSL to create and edit a topology definition file. Next, we build the topology by defining nodes (SONiC switches and Linux hosts) and the links between them. Before deploying the lab, we verify the wiring with Containerlab’s built-in topology graph. Finally, we deploy the topology and validate access to the nodes using both a Linux shell and the SONiC CLI (vtysh).

Phase 1: Integrate VS Code with WSL




There are a couple of ways to use VS Code with WSL. In this lab, we launch VS Code from the WSL terminal using code .. The first time you run this command, VS Code installs the VS Code Server components inside WSL and then opens a VS Code window connected to the Linux environment. After the installation completes, running code . from any directory opens that folder directly in VS Code.

nwkt@Toni:~$ code .

Updating VS Code Server to version 034f571df509819cc10b0c8129f66ef77a542f0e

Removing previous installation...

Installing VS Code Server for Linux x64 (034f571df509819cc10b0c8129f66ef77a542f0e)

Downloading: 100%

Unpacking: 100%

Unpacked 3505 files and folders to /home/nwkt/.vscode-server/bin/034f571df509819cc10b0c8129f66ef77a542f0e.

Looking for compatibility check Continue reading

SwiNOG 41: It Was Nice to Be Back

Last week’s SwiNOG was (as expected) great fun at a phenomenal location, starting with the first slide of the first presentation: “6 Stages of Network De-sh*tification”. I particularly loved the “talk less, chat more” schedule. The longer breaks gave us plenty of time to catch up with old friends and discuss interesting, sometimes completely unexpected, topics. For example, I learned that SIP MESSAGE is used to carry SMS messages these days.

As much as I loved chatting with fellow networking engineers, I also found these presentations highly interesting:

Read more …

Simple Wireguard VPN Setup with wg-easy

Simple Wireguard VPN Setup with wg-easy

WireGuard is a modern VPN protocol that is fast, lightweight, and much simpler to set up compared to other options like OpenVPN. It runs in the Linux kernel, uses modern cryptography, and the configuration is just a few lines, which makes it a great choice for personal use.

The problem is, even though WireGuard itself is simple, managing peers can get tedious. You have to generate key pairs, edit config files, hand out configs to each device, and keep track of who has access to what. If you have a few family members or friends who want to use your VPN, this quickly becomes a hassle.

This is where wg-easy can help. It is a simple open-source web UI that sits on top of WireGuard and takes care of all the boring bits for you. You can add or remove clients with a single click, generate QR codes for mobile devices, and see who is connected, all from a clean web interface.

In this post, I will walk you through how to set up wg-easy so you can have your own self-hosted VPN running in just a few minutes.

Lab Topology

Before we get into the setup, let me quickly Continue reading

1 2 3 3,867