0

Welcome to Cloudflare Security Week 2021!

Today kicks off Cloudflare's 2021 Security Week. Like all innovation weeks at Cloudflare, we'll be announcing a dizzying number of new products, opening products that have been in beta to general availability, and talking to customers and through use cases on how to use our network to fulfill our mission of helping build a better Internet.

In Cloudflare's early days, I resisted the label of being a "security company." It seemed overly limiting. Instead, we were setting out to fix the underlying "bugs" of the Internet. The Internet was never built for what it's become. We started Cloudflare to fix that. Being more secure was table stakes, but we also wanted to make the Internet faster, more reliable, and more efficient.

But a lot of what we do is about security. Approximately half our products are security related. And that makes sense because some of the Internet's deepest flaws are that it specifically did not engineer in security from the beginning.

Security: The Internet’s Afterthought

John Graham-Cumming, Cloudflare's CTO, gives a terrific talk about how the Internet we all have come to rely on wasn’t designed to have the security we all need. In Tim Berners-Lee's original proposal for Continue reading

0

Worth Reading: Splitting the Ping

I hope you’re aware that the venerable ping (and most of its variants) measures round-trip-time – how long it takes to get to the destination and back – but is there a way to measure one-way latency or find out asymmetric transit times?

Ben Cox found a way to use ICMP timestamps together with reasonably accurate NTP-derived time to do just that. More details in Splitting the ping (HT: Drew Conry-Murray).

0

Worth Reading: Splitting the Ping

I hope you’re aware that the venerable ping (and most of its variants) measures round-trip-time – how long it takes to get to the destination and back – but is there a way to measure one-way latency or find out asymmetric transit times?

Ben Cox found a way to use ICMP timestamps together with reasonably accurate NTP-derived time to do just that. More details in Splitting the ping (HT: Drew Conry-Murray).

0

Deconstructing that $69million NFT

"NFTs" have hit the mainstream news with the sale of an NFT based digital artwork for $69 million. I thought I'd write up an explainer. Specifically, I deconstruct that huge purchase and show what actually was exchanged, down to the raw code. (The answer: almost nothing).

The reason for this post is that every other description of NFTs describe what they pretend to be. In this blogpost, I drill down on what they actually are.

Note that this example is about "NFT artwork", the thing that's been in the news. There are other uses of NFTs, which work very differently than what's shown here.

tl;dr

I have long bit of text explaining things. Here is the short form that allows you to drill down to the individual pieces.

• Beeple created a piece of art in a file
• He created a hash that uniquely, and unhackably, identified that file
  
• He created a metadata file that included the hash to the artwork
• He created a hash to the metadata file
• He uploaded both files (metadata and artwork) to the IPFS darknet decentralized file sharing service
• He created, or minted a token governed by the MakersTokenV2 smart contract on the Ethereum blockchain
• Christies Continue reading

0

Basics First and Basics Last

This week I found my tech life colliding with my normal life in an unintended and somewhat enlightening way. I went to a store to pick up something that was out of stock and while I was there making small talk the person behind the counter asked me what I did for a living. I mentioned technology and he said that he was going to college for a degree in MIS, which just happens to be the thing I have my degree in. We chatted about that for a few more minutes before he asked me something I get asked all the time.

“What is the one thing I need to make sure I pay attention to in my courses?”

It’s simple enough, right? You’ve done this before and you have the benefit of hindsight. What is the one thing that is most important to know and not screw up? The possible answers floating through my head were all about programming or analytical methods or even the dreaded infrastructure class I slept through and then made a career out of. But what I said was the most boring and most critical answer one could give.

“You need to know Continue reading

0

Moving k8s communication to gRPC

Over the past year and a half, Cloudflare has been hard at work moving our back-end services running in our non-edge locations from bare metal solutions and Mesos Marathon to a more unified approach using Kubernetes(K8s). We chose Kubernetes because it allowed us to split up our monolithic application into many different microservices with granular control of communication.

For example, a ReplicaSet in Kubernetes can provide high availability by ensuring that the correct number of pods are always available. A Pod in Kubernetes is similar to a container in Docker. Both are responsible for running the actual application. These pods can then be exposed through a Kubernetes Service to abstract away the number of replicas by providing a single endpoint that load balances to the pods behind it. The services can then be exposed to the Internet via an Ingress. Lastly, a network policy can protect against unwanted communication by ensuring the correct policies are applied to the application. These policies can include L3 or L4 rules.

The diagram below shows a simple example of this setup.

Though Kubernetes does an excellent job at providing the tools for communication and traffic management, it does not help the developer decide the Continue reading

0

Random Employee Chats at Cloudflare

Due to the COVID-19 pandemic, most Cloudflare offices closed in March 2020, and employees began working from home. Having online meetings presented its own challenges, but preserving the benefits of casual encounters in physical offices was something we struggled with. Those informal interactions, like teams talking next to the coffee machine, help form the social glue that holds companies together.

In an attempt to recreate that experience, David Wragg, an engineer at Cloudflare, introduced “Random Engineer Chats” (We’re calling them “Random Employee Chats” here since this can be applied to any team). The idea is that participants are randomly paired, and the pairs then schedule a 30-minute video call. There’s no fixed agenda for these conversations, but the participants might learn what is going on in other teams, gain new perspectives on their own work by discussing it, or meet new people.

The first iteration of Random Employee Chats used a shared spreadsheet to coordinate the process. People would sign up by adding themselves to the spreadsheet, and once a week, David would randomly form pairs from the list and send out emails with the results. Then, each pair would schedule a call at their convenience. This process was the Continue reading

0

Automate Leaf and Spine Deployment – Part5

The 5th post in the ‘Automate Leaf and Spine Deployment’ series goes through the deployment of the services that run on top of the fabric. These services are grouped into 3 categories, tenant, interface and routing. Services are configured only on the leaf and border switches, the spines have no need for them as they just route the VXLAN encapsulated packets with no knowledge or care of what is within them.

0

Weekend Reads 031921

It was a huge attack, with major implications for US national security. The Senate Intelligence Committee is scheduled to hold a hearing on the breach on Tuesday. Who is at fault?

We are on a path that will see information security transformed in the next 5-10 years. There are five trends that will enable us as an industry to improve the overall security posture and reduce the surface attack space.

In the wake of recent high-profile security incidents, I started wondering: what, generally speaking, should an organization’s security priorities be? That is, given a finite budget — and everyone’s budget is finite — what should you do first?

In this essay, we discuss Articles 22-25.3 After focusing on civil and political rights in the earlier Articles, the drafters of the UDHR turn to social security, defined as the economic, social, and cultural rights necessary for personal dignity and the free of development of one’s personality.

Adding to the list of difficulties that surfaced last year, 2020 was also grim for personal data protection, as it has marked a new record number of leaked credentials and PI data.

A company that rents out access to more than 10 million Web Continue reading

0

5 Ways to Save Costs on Microsoft Azure

To ensure costs remain at the desired level, organizations need to manage resource consumption. Azure offers a wide range of tools to help.

0

Heavy Networking 568: Effective Technical Communication

Today's Heavy Networking explores how to communicate complex, nuanced technical topics to non-technical people. We examine how to balance finicky details with broader outcomes, discuss the value of editing and review, share writing tips, and more.

0

Heavy Networking 568: Effective Technical Communication

Today's Heavy Networking explores how to communicate complex, nuanced technical topics to non-technical people. We examine how to balance finicky details with broader outcomes, discuss the value of editing and review, share writing tips, and more.

The post Heavy Networking 568: Effective Technical Communication appeared first on Packet Pushers.

0

HDMI Dummy Plug Success with VNC!

Spoiler alert, but I am pleased to report back that my experiment with adding an HDMI dummy plug to my Dell laptop has fixed my issues with VNC.

As I theorized in my post “VNC Cannot Currently Show the Desktop” and have since confirmed, when the laptop lid is closed, the laptop disconnects the monitor and Windows runs truly “headless”. Unfortunately VNC uses DirectX Desktop Duplication to grab a copy of what would be on the screen, and if there’s no screen there’s nothing for VNC to grab an duplicate copy of, so VNC is left doing a lot of hard work grabbing screen images using CPU rather than using the far more efficient DirectX shortcuts.

My proposed solution to this was to order an HDMI Dummy Plug, a little HDMI connector which pretends to be an HDMI monitor so that the laptop believes it has an active monitor connected. My other hope was that by having a fake external monitor for VNC to mirror, I might also be able to set it up with a higher resolution than the laptop’s own internal 1920×1080 screen, which might allow me to have a higher resolution remote session using VNC. Continue reading

0

Adding a MachineHealthCheck using Kustomize

MachineHealthChecks are a powerful feature in the Kubernetes Cluster API (CAPI), and something I played around with not too long ago on TGIK 143. Recently, I was helping to document the use of kustomize with Cluster API for inclusion in the upstream CAPI documentation, and I learned a simple trick with kustomize that I’d apparently overlooked in the past. If you’ve used kustomize for any great length of time you probably already know and have used the functionality I’ll describe in this post, but if you’re new to kustomize or, like me, a user of kustomize that hasn’t had time to dig into all of its functionality, then read on and see how you can use kustomize to add a MachineHealthCheck to a CAPI workload cluster.

If you’re not familiar with kustomize, then reading my introduction to kustomize may be useful before continuing on with the rest of this article.

In this use case—adding a MachineHealthCheck to an workload cluster in CAPI—I’ll work from the assumption that you have a “base” CAPI workload cluster definition (perhaps one you’ve generated using clusterctl config cluster). In the directory where this workload cluster manifest exists, you’d need to add a kustomization. Continue reading

0

Cloud Networking With Alkira – A Packet Pushers Livestream Event

Join the Packet Pushers for our inaugural Livestream with cloud networking company Alkira on April 22nd. In this live, online event we’ll take a deep dive into Alkira’s Network Cloud platform, which lets you deploy and manage single and multi-cloud networks. The Packet Pushers will host the event, and interview Alkira executives and customers. We’ll […]

The post Cloud Networking With Alkira – A Packet Pushers Livestream Event appeared first on Packet Pushers.

0

Cloudflare and WordPress.com partner to Help Build a Better Internet

Cloudflare’s mission is to help build a better Internet. We’ve been at it since 2009 and we’re making progress — with approximately 25 million Internet properties being secured and accelerated by our platform.

When we look at other companies that not only have the scale to impact the Internet, but who are also on a similar mission, it’s hard to ignore Automattic, maintainers of the ubiquitous open-source WordPress software and owner of one the web’s largest WordPress hosting platforms WordPress.com, where up to 409 million people read 20 billion pages every month.¹

Privacy First Web Analytics

When we started brainstorming ways to combine our impact, one shared value stood out: privacy. We both share a vision for a more private Internet. Today we’re excited to announce a number of initiatives, starting with the integration of Cloudflare’s privacy-first web analytics into WordPress.com. This integration gives WordPress.com publishers choice in how they collect usage data and derive insights about their visitors.

Automatic Platform Optimization for WordPress

This is not the first time Continue reading

0

Third Time’s the Cache, No More

Caching is a big part of how Cloudflare CDN makes the Internet faster and more reliable. When a visitor to a customer’s website requests an asset, we retrieve it from the customer’s origin server. After that first request, in many cases we cache that asset. Whenever anyone requests it again, we can serve it from one of our data centers close to them, dramatically speeding up load times.

Did you notice the small caveat? We cache after the first request in many cases, not all. One notable exception since 2010 up until now: requests with query strings. When a request came with a query string (think https://example.com/image.jpg?width=500; the ?width=500 is the query string), we needed to see it a whole three times before we would cache it on our default cache level. Weird!

This is a short tale of that strange exception, why we thought we needed it, and how, more than ten years later, we showed ourselves that we didn’t.

Two MISSes too many

To see the exception in action, here’s a command we ran a couple weeks ago. It requests an image hosted on example.com five times and prints each response’s CF-Cache-Status header. Continue reading

0

How to use the more and less commands: 2-Minute Linux Tips

In this Linux tip, learn how to use the more and less commands. They each allow you to browse the content of text files.

0

Interview: Is Networking Dead?

A few weeks ago I enjoyed a long-overdue chat with David Bombal. David published the first part of it under the click-bait headline Is Networking Dead (he renamed it Is There any Future for Networking Engineers in the meantime).

According to Betteridge’s law of headlines the answer to his original headline is NO (and the second headline violates that law – there you go 🤷‍♂️). If you’re still interested in the details, watch the interview.

0

Interview: Is Networking Dead?

A few weeks ago I enjoyed a long-overdue chat with David Bombal. David published the first part of it under the click-bait headline Is Networking Dead (he renamed it Is There any Future for Networking Engineers in the meantime).

According to Betteridge’s law of headlines the answer to his original headline is NO (and the second headline violates that law – there you go ?‍♂️). If you’re still interested in the details, watch the interview.