The New York Times is reporting on state-sponsored disinformation campaigns coming out of China:
Since that wave of panic, United States intelligence agencies have assessed that Chinese operatives helped push the messages across platforms, according to six American officials, who spoke on the condition of anonymity to publicly discuss intelligence matters. The amplification techniques are alarming to officials because the disinformation showed up as texts on many Americans’ cellphones, a tactic that several of the officials said they had not seen before.
The Chinese facial recognition company Hanwang claims it can recognize people wearing masks:
The company now says its masked facial recognition program has reached 95 percent accuracy in lab tests, and even claims that it is more accurate in real life, where its cameras take multiple photos of a person if the first attempt to identify them fails.
Counter-intuitively, training facial recognition algorithms to recognize masked faces involves throwing data away. A team at the University of Bradford published a study last year showing they could train a facial recognition program to accurately recognize half-faces by deleting parts of the photos they used to train the software.
When a facial recognition program tries to recognize a person, it takes a photo of the person to be identified, and reduces it down to a bundle, or vector, of numbers that describes the relative positions of features on the face.
Hanwang’s system works for masked faces by trying to guess what all the faces in its existing database of photographs would look like if they were masked.
Israel is using emergency surveillance powers to track people who may have COVID-19, joining China and Iran in using mass surveillance in this way. I believe pressure will increase to leverage existing corporate surveillance infrastructure for these purposes in the US and other countries. With that in mind, the EFF has some good thinking on how to balance public safety with civil liberties:
Thus, any data collection and digital monitoring of potential carriers of COVID-19 should take into consideration and commit to these principles:
Privacy intrusions must be necessary and proportionate. A program that collects, en masse, identifiable information about people must be scientifically justified and deemed necessary by public health experts for the purpose of containment. And that data processing must be proportionate to the need. For example, maintenance of 10 years of travel history of all people would not be proportionate to the need to contain a disease like COVID-19, which has a two-week incubation period.
Data collection based on science, not bias. Given the global scope of communicable diseases, there is historical precedent for impropergovernmentcontainmentefforts driven by bias based on nationality, ethnicity, religion, and race — rather than facts about a particular individual’s actual likelihood of contracting the virus, such as their travel history or contact with potentially infected people. Today, we must ensure that any automated data systems used to contain COVID-19 do not erroneously identify members of specific demographic groups as particularly susceptible to infection.
Expiration. As in other major emergencies in the past, there is a hazard that the data surveillance infrastructure we build to contain COVID-19 may long outlive the crisis it was intended to address. The government and its corporate cooperators must roll back any invasive programs created in the name of public health after crisis has been contained.
Transparency. Any government use of “big data” to track virus spread must be clearly and quickly explained to the public. This includes publication of detailed information about the information being gathered, the retention period for the information, the tools used to process that information, the ways these tools guide public health decisions, and whether these tools have had any positive or negative outcomes.
Due Process. If the government seeks to limit a person’s rights based on this “big data” surveillance (for example, to quarantine them based on the system’s conclusions about their relationships or travel), then the person must have the opportunity to timely and fairly challenge these conclusions and limits.
Interesting story of how a Chinese state-sponsored hacking group is bypassing the RSA SecurID two-factor authentication system.
How they did it remains unclear; although, the Fox-IT team has their theory. They said APT20 stole an RSA SecurID software token from a hacked system, which the Chinese actor then used on its computers to generate valid one-time codes and bypass 2FA at will.
Normally, this wouldn’t be possible. To use one of these software tokens, the user would need to connect a physical (hardware) device to their computer. The device and the software token would then generate a valid 2FA code. If the device was missing, the RSA SecureID software would generate an error.
The Fox-IT team explains how hackers might have gone around this issue:
The software token is generated for a specific system, but of course this system specific value could easily be retrieved by the actor when having access to the system of the victim.
As it turns out, the actor does not actually need to go through the trouble of obtaining the victim’s system specific value, because this specific value is only checked when importing the SecurID Token Seed, and has no relation to the seed used to generate actual 2-factor tokens. This means the actor can actually simply patch the check which verifies if the imported soft token was generated for this system, and does not need to bother with stealing the system specific value at all.
In short, all the actor has to do to make use of the 2 factor authentication codes is to steal an RSA SecurID Software Token and to patch 1 instruction, which results in the generation of valid tokens.
Long article on the manipulation of GPS in Shanghai. It seems not to be some Chinese military program, but ships who are stealing sand.
The Shanghai “crop circles,” which somehow spoof each vessel to a different false location, are something new. “I’m still puzzled by this,” says Humphreys. “I can’t get it to work out in the math. It’s an interesting mystery.” It’s also a mystery that raises the possibility of potentially deadly accidents.
“Captains and pilots have become very dependent on GPS, because it has been historically very reliable,” says Humphreys. “If it claims to be working, they rely on it and don’t double-check it all that much.”
On June 5 this year, the Run 5678, a river cargo ship, tried to overtake a smaller craft on the Huangpu, about five miles south of the Bund. The Run avoided the small ship but plowed right into the New Glory (Chinese name: Tong Yang Jingrui), a freighter heading north.
The United States government’s continuing disagreement with the Chinese company Huawei underscores a much larger problem with computer technologies in general: We have no choice but to trust them completely, and it’s impossible to verify that they’re trustworthy. Solving this problem which is increasingly a national security issue will require us to both make major policy changes and invent new technologies.
The Huawei problem is simple to explain. The company is based in China and subject to the rules and dictates of the Chinese government. The government could require Huawei to install back doors into the 5G routers it sells abroad, allowing the government to eavesdrop on communications or – even worse – take control of the routers during wartime. Since the United States will rely on those routers for all of its communications, we become vulnerable by building our 5G backbone on Huawei equipment.
It’s obvious that we can’t trust computer equipment from a country we don’t trust, but the problem is much more pervasive than that. The computers and smartphones you use are not built in the United States. Their chips aren’t made in the United States. The engineers who design and program them come from over a hundred countries. Thousands of people have the opportunity, acting alone, to slip a back door into the final product.
There’s more. Open-source software packages are increasingly targeted by groups installing back doors. Fake apps in the Google Play store illustrate vulnerabilities in our software distribution systems. The NotPetya worm was distributed by a fraudulent update to a popular Ukranian accounting package, illustrating vulnerabilities in our update systems. Hardware chips can be back-doored at the point of fabrication, even if the design is secure. The National Security Agency exploited the shipping process to subvert Cisco routers intended for the Syrian telephone company. The overall problem is that of supply-chain security, because every part of the supply chain can be attacked.
And while nation-state threats like China and Huawei – or Russia and the antivirus company Kaspersky a couple of years earlier – make the news, many of the vulnerabilities I described above are being exploited by cybercriminals.
Policy solutions involve forcing companies to open their technical details to inspection, including the source code of their products and the designs of their hardware. Huawei and Kaspersky have offered this sort of openness as a way to demonstrate that they are trustworthy. This is not a worthless gesture, and it helps, but it’s not nearly enough. Too many back doors can evade this kind of inspection.
Technical solutions fall into two basic categories, both currently beyond our reach. One is to improve the technical inspection processes for products whose designers provide source code and hardware design specifications, and for products that arrive without any transparency information at all. In both cases, we want to verify that the end product is secure and free of back doors. Sometimes we can do this for some classes of back doors: We can inspect source code this is how a Linux back door was discovered and removed in 2003 or the hardware design, which becomes a cleverness battle between attacker and defender.
This is an area that needs more research. Today, the advantage goes to the attacker. It’s hard to ensure that the hardware and software you examine is the same as what you get, and it’s too easy to create back doors that slip past inspection. And while we can find and correct some of these supply-chain attacks, we won’t find them all. It’s a needle-in-a-haystack problem, except we don’t know what a needle looks like. We need technologies, possibly based on artificial intelligence, that can inspect systems more thoroughly and faster than humans can do. We need them quickly.
The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, “You have to presume a dirty network.” Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?
It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it’s how we can have highly resilient distributed systems like Google’s network even though none of the individual components are particularly good. It’s also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.
Security is a lot harder than reliability. We don’t even really know how to build secure systems out of secure parts, let alone out of parts and processes that we can’t trust and that are almost certainly being subverted by governments and criminals around the world. Current security technologies are nowhere near good enough, though, to defend against these increasingly sophisticated attacks. So while this is an important part of the solution, and something we need to focus research on, it’s not going to solve our near-term problems.
At the same time, all of these problems are getting worse as computers and networks become more critical to personal and national security. The value of 5G isn’t for you to watch videos faster; it’s for things talking to things without bothering you. These things – cars, appliances, power plants, smart cities – increasingly affect the world in a direct physical manner. They’re increasingly autonomous, using A.I. and other technologies to make decisions without human intervention. The risk from Chinese back doors into our networks and computers isn’t that their government will listen in on our conversations; it’s that they’ll turn the power off or make all the cars crash into one another.
All of this doesn’t leave us with many options for today’s supply-chain problems. We still have to presume a dirty network – as well as back-doored computers and phones — and we can clean up only a fraction of the vulnerabilities. Citing the lack of non-Chinese alternatives for some of the communications hardware, already some are calling to abandon attempts to secure 5G from Chinese back doors and work on having secure American or European alternatives for 6G networks. It’s not nearly enough to solve the problem, but it’s a start.
Perhaps these half-solutions are the best we can do. Live with the problem today, and accelerate research to solve the problem for the future. These are research projects on a par with the Internet itself. They need government funding, like the Internet itself. And, also like the Internet, they’re critical to national security.
Critically, these systems must be as secure as we can make them. As former FCC Commissioner Tom Wheeler has explained, there’s a lot more to securing 5G than keeping Chinese equipment out of the network. This means we have to give up the fantasy that law enforcement can have back doors to aid criminal investigations without also weakening these systems. The world uses one network, and there can only be one answer: Either everyone gets to spy, or no one gets to spy. And as these systems become more critical to national security, a network secure from all eavesdroppers becomes more important.
The trade war with China has reached a new industry: subway cars. Congress is considering legislation that would prevent the world’s largest train maker, the Chinese-owned CRRC Corporation, from competing on new contracts in the United States.
Part of the reasoning behind this legislation is economic, and stems from worries about Chinese industries undercutting the competition and dominating key global industries. But another part involves fears about national security. News articles talk about “spy trains,” and the possibility that the train cars might surreptitiously monitor their passengers’ faces, movements, conversations or phone calls.
This is a complicated topic. There is definitely a national security risk in buying computer infrastructure from a country you don’t trust. That’s why there is so much worry about Chinese-made equipment for the new 5G wireless networks.
It’s also why the United States has blocked the cybersecurity company Kaspersky from selling its Russian-made antivirus products to US government agencies. Meanwhile, the chairman of China’s technology giant Huawei has pointed to NSA spying disclosed by Edward Snowden as a reason to mistrust US technology companies.
The reason these threats are so real is that it’s not difficult to hide surveillance or control infrastructure in computer components, and if they’re not turned on, they’re very difficult to find.
Like every other piece of modern machinery, modern train cars are filled with computers, and while it’s certainly possible to produce a subway car with enough surveillance apparatus to turn it into a “spy train,” in practice it doesn’t make much sense. The risk of discovery is too great, and the payoff would be too low. Like the United States, China is more likely to try to get data from the US communications infrastructure, or from the large Internet companies that already collect data on our every move as part of their business model.
While it’s unlikely that China would bother spying on commuters using subway cars, it would be much less surprising if a tech company offered free Internet on subways in exchange for surveillance and data collection. Or if the NSA used those corporate systems for their own surveillance purposes (just as the agency has spied on in-flight cell phone calls, according to an investigation by the Intercept and Le Monde, citing documents provided by Edward Snowden). That’s an easier, and more fruitful, attack path.
We have credible reports that the Chinese hackedGmail around 2010, and there are ongoing concerns about both censorship and surveillance by the Chinese social-networking company TikTok. (TikTok’s parent company has told the Washington Post that the app doesn’t send American users’ info back to Beijing, and that the Chinese government does not influence the app’s use in the United States.)
Even so, these examples illustrate an important point: there’s no escaping the technology of inevitable surveillance. You have little choice but to rely on the companies that build your computers and write your software, whether in your smartphones, your 5G wireless infrastructure, or your subway cars. And those systems are so complicated that they can be secretly programmed to operate against your interests.
Last year, Le Monde reported that the Chinese government bugged the computer network of the headquarters of the African Union in Addis Ababa. China had built and outfitted the organization’s new headquarters as a foreign aid gift, reportedly secretly configuring the network to send copies of confidential data to Shanghai every night between 2012 and 2017. China denied having done so, of course.
If there’s any lesson from all of this, it’s that everybody spies using the Internet. The United States does it. Our allies do it. Our enemies do it. Many countries do it to each other, with their success largely dependent on how sophisticated their tech industries are.
China dominates the subway car manufacturing industry because of its low prices — the same reason it dominates the 5G hardware industry. Whether these low prices are because the companies are more efficient than their competitors or because they’re being unfairly subsidized by the Chinese government is a matter to be determined at trade negotiations.
Finally, Americans must understand that higher prices are an inevitable result of banning cheaper tech products from China.
We might willingly pay the higher prices because we want domestic control of our telecommunications infrastructure. We might willingly pay more because of some protectionist belief that global trade is somehow bad. But we need to make these decisions to protect ourselves deliberately and rationally, recognizing both the risks and the costs. And while I’m worried about our 5G infrastructure built using Chinese hardware, I’m not worried about our subway cars.
EDITED TO ADD: I had a lot of trouble with CNN’s legal department with this essay. They were very reluctant to call out the US and its allies for similar behavior, and spent a lot more time adding caveats to statements that I didn’t think needed them. They wouldn’t let me link to this Intercept article talking about US, French, and German infiltration of supply chains, or even the NSA document from the Snowden archives that proved the statements.
Reuters has a long article on the Chinese government APT attack called Cloud Hopper. It was much bigger than originally reported.
The hacking campaign, known as “Cloud Hopper,” was the subject of a U.S. indictment in December that accused two Chinese nationals of identity theft and fraud. Prosecutors described an elaborate operation that victimized multiple Western companies but stopped short of naming them. A Reuters report at the time identified two: Hewlett Packard Enterprise and IBM.
Yet the campaign ensnared at least six more major technology firms, touching five of the world’s 10 biggest tech service providers.
Also compromised by Cloud Hopper, Reuters has found: Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation and DXC Technology. HPE spun-off its services arm in a merger with Computer Sciences Corporation in 2017 to create DXC.
Waves of hacking victims emanate from those six plus HPE and IBM: their clients. Ericsson, which competes with Chinese firms in the strategically critical mobile telecoms business, is one. Others include travel reservation system Sabre, the American leader in managing plane bookings, and the largest shipbuilder for the U.S. Navy, Huntington Ingalls Industries, which builds America’s nuclear submarines at a Virginia shipyard.
Thanks to the Snowden, Shadow Brokers, and Vault7 leaks, Beijing officials are well aware of the US’ hefty arsenal of hacking tools, available for anything from smart TVs to Linux servers, and from routers to common desktop operating systems, such as Windows and Mac.
Since these leaks have revealed that the US can hack into almost anything, the Chinese government’s plan is to adopt a “security by obscurity” approach and run a custom operating system that will make it harder for foreign threat actors — mainly the US — to spy on Chinese military operations.
It’s unclear exactly how custom this new OS will be. It could be a Linux variant, like North Korea’s Red Star OS. Or it could be something completely new. Normally, I would be highly skeptical of a country being able to write and field its own custom operating system, but China is one of the few that is large enough to actually be able to do it. So I’m just moderately skeptical.
EDITED TO ADD (6/12): Russia also wants to develop its own flavor of Linux.
DEF CON is one of the largest and oldest security conferences in the world. Last year, it launched a beta event in China in hopes of bringing the local security communities closer together. This year, the organizer made things official by introducing DEF CON China 1.0 with a promise to build a forum for China where everyone can gather, connect, and grow together.
Themed “Technology’s Promise”, DEF CON China kicked off on 5/30 in Beijing and attracted participants of all ages. Watching young participants test, play and tinker with new technologies with such curiosity and excitement absolutely warmed our hearts!
It was a pleasure to participate in DEF CON China 1.0 this year and connect with local communities. Great synergy as we exchanged ideas and learnings on cybersecurity topics. Did I mention we also spoiled ourselves with the warm hospitality, wonderful food, live music, and amazing crowd while in Beijing.
Cloudflare’s Mission is to Help Build a Better Internet
Founded in 2009, Cloudflare is a global company with 180 data centers across 80 countries. Our Performance and Security Services work in conjunction to reduce latency of websites, mobile applications, and APIs end-to-end, while protecting against DDoS attack, abusive bots, and data breach.
We are looking forward to growing our presence in the region and continuing to serve our customers, partners, and prospects. Sign up for a free account now for a faster and safer Internet experience: cloudflare.com/sign-up.
We are a team with global vision and local insight committed to building a better Internet. We are hiring in Beijing and globally. Check out the opportunities here: cloudflare.com/careers and join us at Cloudflare today!
许多人都在电影中看到过极客指尖敲动，在数字的世界中急速驰骋的场景。然而现实生活中，这些人在哪儿不得而知。随着技术的发展，越来越多的年轻人加入了这个群体。在国外一直都有 DEF CON 这样的世界极客盛会。中国此前也还没有，直到去年 DEF CON 来到了中国，主办方斥巨资引进大会，想打造属于中国的技术社区，通过这样一个契机，将大家聚在一起，一同成长，最终构建一个属于中国自己的、真正的安全社区。于是，在 DEF CON 的名下，多了一个 DEF CON China。
今年，DEF CON 经过一年的沉淀后，进入了正式版本 1.0，这个世界顶级的安全会议，在五月底，以 “Technology’s Promise” — “科技点燃未来” 为主旨，于北京拉开了序幕，像是一位家长等待着 “孩子们” 一起过节。这个六一，还有什么能比来 DEF CON China 1.0 众乐乐更具意涵呢？
作为在中国地区的正式版本，DEF CON China 吸引了很多大咖前来参与，一直致力于网络安全的 Cloudflare，这次也前来共襄盛举，带来了最新的科技跟大家分享。
Yesterday, I visited the NSA. It was Cyber Command’s birthday, but that’s not why I was there. I visited as part of the Berklett Cybersecurity Project, run out of the Berkman Klein Center and funded by the Hewlett Foundation. (BERKman hewLETT — get it? We have a web page, but it’s badly out of date.)
It was a full day of meetings, all unclassified but under the Chatham House Rule. Gen. Nakasone welcomed us and took questions at the start. Various senior officials spoke with us on a variety of topics, but mostly focused on three areas:
Russian influence operations, both what the NSA and US Cyber Command did during the 2018 election and what they can do in the future;
China and the threats to critical infrastructure from untrusted computer hardware, both the 5G network and more broadly;
Machine learning, both how to ensure a ML system is compliant with all laws, and how ML can help with other compliance tasks.
It was all interesting. Those first two topics are ones that I am thinking and writing about, and it was good to hear their perspective. I find that I am much more closely aligned with the NSA about cybersecurity than I am about privacy, which made the meeting much less fraught than it would have been if we were discussing Section 702 of the FISA Amendments Act, Section 215 the USA Freedom Act (up for renewal next year), or any 4th Amendment violations. I don’t think we’re past those issues by any means, but they make up less of what I am working on.
As the old saying goes, good things come in pairs, 好事成双！ The month of May marks a double celebration in China for our customers, partners and Cloudflare.
First and Foremost
A Beijing Customer Appreciation Cocktail was held in the heart of Beijing at Yintai Centre Xiu Rooftop Garden Bar on the 10 May 2019, an RSVP event graced by our supportive group of partners and customers.
We have been blessed with almost 10 years of strong growth at Cloudflare – sharing our belief in providing access to internet security and performance to customers of all sizes and industries. This success has been the result of collaboration between our developers, our product team as represented today by our special guest, Jen Taylor, our Global Head of Product, Business Leaders Xavier Cai, Head of China business, and Aliza Knox Head of our APAC Business, James Ball our Head of Solutions Engineers for APAC, most importantly, by the trust and faith that our partners, such as Baidu, and customers have placed in us.
Double Happiness, 双喜
On the same week, we embarked on another exciting journey in China with our grand office opening at WeWork. Beijing team consists of functions from Customer Development to Solutions Engineering and Customer Success lead by Xavier, Head of China business. The team has grown rapidly in size by double since it started last year.
We continue to invest in China and to grow our customer base, and importantly our methods for supporting our customers, here are well. Those of us who came from different parts of the world, are also looking to learn from the wisdom and experience of our customers in this market. And to that end, we look forward to many more years of openness, trust, and mutual success.
In 2016, a hacker group calling itself the ShadowBrokers released a trove of 2013 NSA hacking tools and related documents. Most people believe it is a front for the Russian government. Since, then the vulnerabilities and tools have been used by both government and criminals, and put the NSA’s ability to secure its own cyberweapons seriously into question.
Now we havelearned that the Chinese used the tools fourteen months before the Shadow Brokers released them.
Does this mean that both the Chinese and the Russians stole the same set of NSA tools? Did the Russians steal them from the Chinese, who stole them from us? Did it work the other way? I don’t think anyone has any idea. But this certainly illustrates how dangerous it is for the NSA — or US Cyber Command — to hoard zero-day vulnerabilities.
Supply chain security is an insurmountably hard problem. The recent focus is on Chinese 5G equipment, but the problem is much broader. This opinion piece looks at undersea communications cables:
But now the Chinese conglomerate Huawei Technologies, the leading firm working to deliver 5G telephony networks globally, has gone to sea. Under its Huawei Marine Networks component, it is constructing or improving nearly 100 submarine cables around the world. Last year it completed a cable stretching nearly 4,000 miles from Brazil to Cameroon. (The cable is partly owned by China Unicom, a state-controlled telecom operator.) Rivals claim that Chinese firms are able to lowball the bidding because they receive subsidies from Beijing.
Just as the experts are justifiably concerned about the inclusion of espionage “back doors” in Huawei’s 5G technology, Western intelligence professionals oppose the company’s engagement in the undersea version, which provides a much bigger bang for the buck because so much data rides on so few cables.
This shouldn’t surprise anyone. For years, the US and the Five Eyes have had a monopoly on spying on the Internet around the globe. Other countries want in.
As I have repeatedly said, we need to decide if we are going to build our future Internet systems for security or surveillance. Either everyone gets to spy, or no one gets to spy. And I believe we must choose security over surveillance, and implement a defense-dominant strategy.
“Real knowledge is to know the extent of one’s ignorance.” ― Confucius
Don’t tell our CEO, Matthew Prince, but the first day I interviewed at Cloudflare I had a $9.00 phone in my pocket, a knock-off similar to a Nokia 5140, but the UI was all in Chinese characters—that phone was a fitting symbol for my technical prowess. At that time in my career I could send emails and use Google, but that was about the extent of my tech skill set. The only code I’d ever seen was in the Matrix, Apple computers confused me, and I was working as a philosophy lecturer at The University of California, Santa Cruz. So, you know, I was pretty much the ideal candidate for a deeply technical, Silicon Valley startup.
This was in 2013. I had just returned from two years of Peace Corps service in the far Southwest of China approaching the Himalayan plateau. That experience gave me the confidence to walk into Cloudflare’s office knowing that I would be good for the job despite the gaps in my knowledge. My early training in philosophy plus my Peace Corps service gave me a blueprint for learning and figuring things out when thrown into the deep end (it turns out that I love being thrown into the deep end and learning to swim).
I had no idea that this first meeting with Matthew would eventually lead me back to China, this time riding on the cloud of a fast-growing Silicon Valley tech giant.
Two years earlier, eighty Peace Corps Volunteers and myself landed in the capital of Sichuan province, Chengdu. The vast majority of us, myself included, spoke zero Mandarin and only knew about China from books and a few news snippets here and there. The Chinese staff members that greeted us at the Peace Corps China headquarters on the Sichuan University campus affectionately called us “baby pandas”, because we were cute and fairly incompetent in terms of operating in China.
Our mission was to help China meet its need for trained men and women—specifically to teach college level students English and train qualified Teachers of English as a foreign language instructors (TEFL instructors). We were also there to promote a better understanding of Americans abroad, and to do our best to gain some understanding of China and its people.
Thus began two years of deep learning and profound personal growth.
When I think about the most important aspects of my time in China, there are three fundamentals that I come back to:
The importance of learning the language and culture
The importance of 关系 (guanxi) or personal connections and relationships
The necessity of being resourceful
The most successful Peace Corps volunteers in my cohort were the ones that learned to speak Mandarin well, understood enough about Chinese culture to operate effectively in their schools and communities, had built important personal and professional relationships, and had figured out how to survive in Southwest China and be useful as English language resources and American cultural liaisons. There was a steep learning curve.
Peace Corps Service in China has four phases more or less. Phase one, Pre Service Training (PST), took place at Sichuan University. We were all living with Chinese host families, taking 8-9 hours of Mandarin class each day, learning about Chinese culture, and being trained as TEFL instructors. It is an intense period of learning against a backdrop of tremendous culture shock, jet lag, and general confusion of how to be an American in Southwest China.
After three months of well taught crash courses, I was sent out to the college where I would spend the next two years of my service. That first night, after I unpacked my bags and took a shower, the reality of my life decisions came crashing down. This was going to be *very* hard. I was alone with millions and millions of Chinese people in remote Sichuan. Phase two was about to begin.
Getting familiar with the college where I was to spend two years was another steep learning curve. I was introduced to the colleagues I’d be teaching with as well as the school administrators, and, most importantly, I was introduced to my students. I got lucky, the English department at my school was small, and I only had 20-30 students in each of my classes. I met with them 4 times a week for two hours a day, so I had ample time to really get to know them and work with them one-on-one in the classroom, during office hours, and over spicy Sichuan dinners.
That first year of service I studied Mandarin as if my life depended on it—because it sort of did. Few people, i.e. my students and colleagues, spoke English in rural Sichuan. As I was able to communicate better in Mandarin, my understanding of the culture grew and so did my relationships with folks at my school and community.
In an effort to understand more about the culture I was living in, I gave myself an education in Chinese philosophy starting with Confucius (孔子) and the Daoist like Laozi (老子) and Zhuangzi (庄子), and I also looked into Buddhism. Since the world’s wisdom traditions contain universal principles that transcend time and culture, these readings gave me subtle insights into the Chinese way of life. I learned that Confucianism is the invisible glue holding much of Chinese society together. And while Confucius spoke to Chinese society and how people ought to act, his contemporary, Laozi, considered the founder of Daoism, spoke to the Chinese soul via the Dao de Jing (道德经).
Apropos of philosophy, one beautiful Chinese proverb I found in my reading goes: “Only those who take leisurely what the rest of the world is concerned about, can be concerned about with the rest of the world takes leisurely”. A calligraphy artist at my school gifted me a piece of work expressing this:
I also learned early on in my service what my students needed: authentic opportunities to express themselves in English, understanding and encouragement, and a solid English text book that employed the latest pedagogical techniques for learning a foreign language. Since my Mandarin was slow going, my students had all sorts of authentic opportunities to speak to me in English. They ended up helping me translate a lot that first year as I navigated my life on campus. As for encouragement, I would often talk to them in my developing and broken Mandarin in front of the class. I messed up words and tones constantly, and they laughed (hard) and then kindly corrected me. In this way, I showed them that learning is all about making mistakes, and that it is fine to get it wrong as you begin. There is no other way to learn a language (or anything else). The last part, providing a solid textbook, would be more tricky.
I received enough training during PST to have some good ideas for teaching English as a foreign language, but I had no experience writing a language textbook. What I ended up doing was replicating the structure of the textbooks I was using to learn Mandarin: a dialogue which incorporates a few new vocab words, a list of those new vocab words, grammar practice using grammatical structures from the dialogue, and then photos of relevant objects or scenes that would allow students to use new vocabulary words to describe the photos using new words and structures. I would record these dialogues and then distribue the audio file to my students so they could hear my pronunciation.
We’d work with this dialogue, vocabulary, and grammar all week, then on Fridays I’d put them in a “language line”. Sort of like speed dating, but they would have to hold a conversation with their classmates around the topic of that week and use the new vocab words. I’d listen in and help guide them. Then at the end of class, we’d form a line and I’d ask each one of them a question individually that they had to answer before they could leave the classroom. This pushed each student into learning so that they could actually speak English confidently to a native English speaker. It was a rewarding project.
My students were super smart and diligent, and week after week their English level was going up. I was able to hold natural conversations with them while speaking slow, and my Mandarin was progressing to the point that I could clarify things in Mandarin to aid their English learning. And so I learned how to teach English.
I consider all of the second year of service phase three. It is in that second year that volunteers can do really great work. My language level was high enough to really communicate with my community and explore China more, I had a basic structure for teaching and kept honing it to fit the needs of my students, and I developed a lot of really important relationships with the administrators at my school and other wonderful folks in the area.
Phase four is the return to the US. Something that no one told me about Peace Corps service before I joined is that you actually sign up for three years, not two. And that the third year, the first year back home after service, would be the most challenging by far … readjusting to life in the US, starting up or continuing a career, feeling a million miles behind peers who cranked through two extra years in a work world. All of this while trying to work on one of the most important goals of the Peace Corps—Goal 3—helping Americans better understand China through my experiences. I’m doing this every chance I get. This blog is a part of fulfilling Goal 3.
My service in China impacted me in profound ways. I have a love and respect for China that was born of close contact with the wonderful people, culture, philosophy, and language I was steeped in. And it gave me a clear experience of my ability to grow and change and acquire new skills swiftly. By the end of my time, I could confidently hold a conversation in Mandarin, I could read sections of Chinese newspapers, I had written an English text book for my students, and I made so many friends. All of that came from slow, diligent, hard work—and finding the necessary resources to get things done for my students in non-obvious ways. I had a clearly outlined experience of what diligence and time can do, and I knew deep in me is the potential to learn, adapt, and grow into almost anything.
Two years of remote Peace Corps work (which, despite being among millions of Chinese people, is often an isolating experience) gave me ample time to reflect on my life. While I find teaching deeply rewarding and I love the study of philosophy, I felt that I needed a different pool to swim in than academia. I thought that the private sector would likely offer the most opportunity, so when I came back to the US, I decided to move to San Francisco and aim for a job in tech. I figured that would be like plunging into the ocean, and I was keen to see where the global economic currents might take me.
In the first few weeks I was back in the US I set up 4-5 informational interviews each week. I spoke to people at Google and Square, folks working in event planning, in finance, in HR, in construction, etc. Then one of my colleagues at the university mentioned that their friend (Matthew) had a tech startup called “Cloudflare” and could maybe use some help writing stuff. I followed up right away.
Career Change: From teaching to tech – How Hard Can It Be?
Despite hours of Googling “What is a Cloudflare?”, I was utterly and completely out of my depth when Matthew explained to me what the company does. Before my interview with him, I had done my homework memorizing definitions for acronyms like CDN, DNS, DDoS, and API, but I didn’t really know what they were. The instructions I received before the interview were to learn a bit about how Cloudflare works, and “Don’t wear a suit and tie”. This was a time in Cloudflare history when we had about 60 employees, about 30 data centers, and a bit of duct tape in the office pressing extension cords into the carpet.
I was intimidated speaking to Matthew the first time. He is an amazingly accomplished and incredibly intelligent person. I checked out his LinkedIn profile, and I didn’t know anything about SPAM, law school, business school, being an entrepreneur, or how the Internet works. The folks in Peace Corps China always talked about being resourceful, so I looked for and found an opportunity to connect with him on a level that I could grasp. Matthew, who has unbelievable credentials and professional accolades, still has “Ski Instructor” on his LinkedIn profile somewhere between “Adjunct Professor of Law” and “Harvard Business School”:
I had just spent all of my time in China aiming to build relationships with my students and other people in my community that were from vastly different backgrounds and trying to find common ground from which to build rapport and trust. I thought, if someone this accomplished keeps their ski instructor experience on their resume, it must have a lot of meaning. I’m glad I followed that intuition because this topic led to a great conversation with Matthew about hometowns, ski trips, and ski equipment, which eventually lead to a conversation about surfing and surfboards, which is right in my wheelhouse. It turned out to be a great interview because we connected over things that we both found important. We found a piece of common ground that didn’t seem obvious at first—part of that being a deep curiosity for how and why things work. Looking back five years, I can say without reservation that finding a way to connect with Matthew that day has had a profoundly positive impact on the course of my life.
When it came time for me to interview with our co-founder, Michelle, she understood that I had a lot to learn about the company, and she took the time to draw out a simplified map of Cloudflare’s network on a yellow legal pad. She drew jagged, little clouds around the world and patiently explained what global caching is, how Anycast networking helps with DDoS attacks, and how DNS is like the phone book of the Internet. I was struck that such a highly intelligent person, HBS grad, co-founder of a major tech firm would take time out of their busy day to do this. I learned later that Michelle is always like this. She is amazing with names, stops to talk to folks in the office whenever she can, and sets a tone of respect, compassion, and understanding at the office. It is inspiring.
I then had a video interview with John Graham-Cumming, our CTO, who was in London. There was no getting away from tech with this interview. So I Googled everything I could about John. I read his book Geek Atlas, I watched his TED Talk, and I looked into his interest in Movie Code. I was ready for this interview. We talked about the Parkes Radio Telescope in Australia, Alan Turing, and about the code in the Matrix (thank you, Neo!). John is a fascinating speaker and a legend in the technology space. He is also kind and patient, and he never made me feel silly for not grasping technical concepts right away.
After 6-7 interviews over the following weeks, the feedback I got was that I was a good culture fit, I was hard-working and smart, but I just didn’t have the technical knowledge to do the job. That feedback seemed spot on, but I wasn’t going to let that hold me back. I knew I could be useful to this company. I knew that if they gave me a shot and threw me into the deep end that I would learn to swim. I knew what I needed to do: learn the language and culture of Silicon Valley, make connections, and be resourceful.
I stood outside of the old Cloudflare office at 665 3rd St. in San Francisco, and I told myself that I have to get in that door. I didn’t know exactly what they are doing in there, but it seemed weird and interesting, and I wanted to be a part of it.
So I started learning. Another returned Peace Corps volunteer that I’d met in the Bay Area sat down with me one weekend and helped me build a simple website from the ground up. In the most basic HTML and CSS, we embedded a video we made about my China experience. On the site I made the background color orange to match the Cloudflare logo and wrote something like, “Check it out Matthew and Michelle, I’m learning how to write code!”, and I sent them the link.
In the following weeks, I sent more follow up emails to Matthew than felt polite. But it worked. Matthew, Michelle, and John took a huge risk on me, and I got an offer to be Cloudflare’s “Writer” (since that was really the only thing that made sense for an academic philosopher to do at a tech firm). They actually gave me business cards that read: Andrew A. Schafer – Writer.
When I accepted the offer via email, Matthew wrote back saying that getting up to speed with Cloudflare was “going to be like drinking from a fire hose”.
Drinking from the Fire Hose:
On day one, I sat down next to the folks on the Data Team and introduced myself. They all said a quick, polite “hi” and then put their head phones back on immediately and continued to write code. I didn’t learn for a long time that engineers DO NOT like to be interrupted when they are coding. This is a key feature of tech culture.
At one point John Graham-Cumming walked past my desk and asked me why I was staring at that man in the orange shirt so much. I turned around and exclaimed, “John, did you know that the Internet has LED lasers that blink on and off BILLIONS of times per second?!” He calmly replied, “yes” and then went about his business. That fact made my mind melt. I had so much to learn.
One of the first things I worked on as Cloudflare’s Writer was some of the PR efforts surrounding Project Galileo, DDoS attack protection for at-risk public interest websites, which I’m still proud of. I worked with our legal team to draft up this blog post, which helped me to understand the implications and power of Cloudflare’s technology in real-world terms.
I worked with Nick Sullivan a whole bunch at the beginning also, which was mystifying. He is already a great writer and he was writing about such complex things. There were times where I was adding punctuation to sentences that made sense grammatically, but I didn’t understand their content. I learned a lot about encryption, and my tech vocabulary grew.
At one point I also helped John Graham-Cumming with a few blogs. John is a published author, so I didn’t really help him write anything, but I did help him bring his posts way down to my level. You can see my influence on this blog post about Shellshock. That day I learned the term “zero day vulnerability”.
In that blog John wrote: “Attackers will also use an ACE vulnerability to upload or run a program that gives them a simple way of controlling the targeted machine. This is often achieved by running a “shell”. I read his draft and I asked him, “What is a shell?”. A question, I learned much later, that was highly embarrassing to ask at a tech office. But I didn’t know, and I wanted to know. So we clarified that, “A shell is a command-line where commands can be entered and executed” in the post just in case other tech noobs like myself were trying to follow along. I learned how to be a translator from tech-speak to normal English.
I even researched and wrote a few posts of my own, like this one about Raspberry Pi’s fronted by Cloudflare. I had no idea what a Raspberry Pi was before being asked to write this. Thankfully one of the folks on the Data Team had one and let me borrow it for a photo op. I learned about the inspiring philosophy behind Raspberry Pi and the vibrant community that uses them.
As the official Cloudflare Writer, I was proud of writing the copy for our dashboard. That project was an amazing way for me to get to know a lot of key members of the engineering team and have them teach me exactly how each feature worked. I wrote out what I understood, clarified some points with them, and then made a pull request to get the explanations into the code base for our dashboard.
If you’ve ever used these help menus—you are welcome! (Note: lots of other Cloudflare team members have kept this updated and expanded.)
Eventually, I became an honorary member of the Data Team. It took some doing, but I learned Python the hard way, and I wrote a Python script that would print my name 100,000 times in the terminal. I crashed my machine when I tried to make it print my name 100,000,000,000,000 times. I learned something about code that day—it can break things.
I ran this code while sitting next to the person who had built Cloudflare’s original database. I did a victory dance when I crashed my laptop I was so proud of myself. That is sort of like me bragging about my backyard badminton skills next to Serena Williams.
I dipped my toes into the language of code, and started to speak that language with the engineers around me. This helped me to learn an important lesson about tech culture: the deeper your technical understanding the greater the respect you receive.
Eventually, I was ready for a new challenge at Cloudflare—talking to our clients.
The first thing I learned in a client facing role at Cloudflare is that Cloudflare is not a widget or a nice-to-have—it is mission critical technology for everyone that uses it. When something goes wrong people are very upset. The second thing I learned in a client facing role at Cloudflare is that the Internet is a fragile little teacup and it runs on human trust—which is astonishing. The combination of those two facts created ample opportunity for me to develop my listening and communication skills.
I started by rereading How to Win Friends and Influence People, by Dale Carnegie and took special note of rule number four, which states, “Be A Good Listener”. I quickly graduated to the philosophy and practice of Nonviolent Communication, by Marshall B. Rosenberg. I ended up taking some NVC courses in San Francisco focused on listening skills in this style. I also took compassion meditation courses via Stanford a few years in a row, which had a profound impact on my ability to empathise with our clients.
While brushing up on and honing these interpersonal skills was helpful, what I learned in a lot of those early meetings with clients was that I need to understand Cloudflare’s technology better. It’s one thing to be able to talk about it, it’s a whole different thing to be able to understand it enough to solve real issues.
I decided to do the “homework” our Solutions Engineering team gives out to their hiring candidates. I had to learn command-line basics, create an origin web server on DigitalOcean, install Ubuntu, configure a firewall, install NGINX, create a simple website from HTML, add an image to that site, set up DNS, and then put Cloudflare in front of it.
I set up my first DNS record in Cloudflare to point to my origin server, and was like “OHHHHHHH SNAP! That is how DNS works! It maps my domain name to the IP address of my server!” Hands on learning makes all the difference.
And I learned that WWW is a subdomain of the apex!! What???
It wouldn’t be a legit Cloudflare blog without more code, so here we go. I ended up writing (modifying) this amazing piece of code based on the NGINX HTML welcome page template:
Notice that I added an image:
I’m now a web developer! I’ve added yet another cat photo to the Internet. You are welcome world! (Note at the time of publishing my site is offline [I forgot to renew the domain—oopsy]).
Once I had my site up and running on Cloudflare, I learned how to make API calls to pull down the our Enterprise raw logs and use jq to sort them (jq, I learned, is “a lightweight and flexible command-line JSON processor”):
(Note: This cURL command does not contain a real API key. I learned the hard way to NEVER include the API key when sharing a cURL.)
I was so proud. I could say things like, “pull down the raw logs and pipe them into jq” to my clients, and I actually knew what I was saying—my tech language skills were improving.
I then read “High Performance Browser Networking” by Ilya Grigorik. I didn’t even understand what that title meant at first. I had to translate it into non-tech English. It turns out that, for example, Chrome is a high performance browser, which is a tool you use to navigate a network of computers, a.k.a. the Internet. So it is a guide book for building the most performant web apps within the limits of current browser and networking technology.
Grigorik’s philosophy resonates with me, “Good developers know how things work. Great developers know why things work.” Insert any other profession or art and the statement remains true.
It took me six months of reading on bus rides to work, but by the end I could say things like, WebSocket API, Subprotocol Negotiation, TLS OCSP Stapling, and TCP Head-of-Line Blocking. I learned from Grigorik that, “TCP provides the abstraction of a reliable network running over an unreliable channel, which includes basic packet error checking and correction, in-order delivery, retransmission of lost packets, as well as flow control, congestion control, and congestion avoidance designed to operate the network at the point of greatest efficiency. Combined, these features make TCP the preferred transport for most applications.” Who knew?
After putting so much work into learning what Cloudflare really does, I came to understand something fundamental about the tech world: the learning never stops. Never. The fire hose never turns off.
When I started at Cloudflare we offered more domains and extra SSL cert hosting slots as our additional products. Now we have Workers and Access and Argo and Argo Tunnel and Spectrum and Load Balancing and Stream and a Mobile SDK, and the list keeps growing. And we all have to learn about all of this new technology as it gets released. It is amazing!
Over the last few years, I’ve learned the language of Silicon Valley, and more specifically, I can speak the language of Cloudflare fluently. That has made a huge difference in my career.
Life @ 101 Townsend:
I’ve enjoyed a lot of successes at Cloudflare, but the one achievement I’m most proud of is creating the “Big Horse Award for Strong Work”.
The idea for this came directly from chapter 2 of How to Win Friends and Influence People: “Give honest and sincere appreciation”. I make it a point to tell the folks I work with that they are doing outstanding work every chance I get because the folks I work with really are doing outstanding work all the time, and they should know about it.
Maybe three years ago my best friend at Cloudflare sent me a message via HipChat that read something like: “Hey Big Horse, you check that Jira ticket yet?”. From that day forward I called everyone “Big Horse” on HipChat at all times, which I thought was hilarious and everyone else thought was weird or annoying.
Shortly after that, in an effort to step up my “Give honest and sincere appreciation” game, I started sending emails to the whole company pointing out the strong work our support team was doing in our Zendesk customer support tickets. Our support team is world-class, but since only a few teams in the office can access Zendesk, a lot of folks internally don’t see their amazing work. I decided to take screenshots of tickets that were particularly well-handled and share them. I’d titled these emails “Strong Work, Big Horse!”. I quickly learned that emailing the whole company “does not scale”.
This culminated at one of our all hands B.E.E.R. meetings, where I gave out a Big Horse Award to a few outstanding members of our Support team. I had this stunningly beautiful trophy made for the occasion:
We needed a logo, so I Googled “stupid horse drawings” and found an image. With a little editing via photo editor and PowerPoint, a meme was born:
Since then we’ve had all sorts of iterations of the Big Horse logo:
And we had paraphernalia made:
Our support team even spray painted “Big Horse” on the side of a building on 4th St in downtown San Francisco on a team outing:
We’ve issued a new Sparkle Lama award as well—since not everyone wants to be called a big horse:
Many Cloudflare team members have Big Horse and Sparkle Lama stickers on their laptops, and we’ve shipped those golden big horse trophies around the world to our London and Singapore offices. These symbols have become easy ways to let our teammates know that they are doing great work. It is a small thing, but it adds up and helps make Cloudflare a great place to work.
Just a few weeks ago this Tweet was pointed out to me:
Well, Neil, the reason for this is that a few engineers and myself had big plans of launching a website around the Big Horse Award, we bought big.horse and a few others, but we didn’t follow through—yet. Stay tuned.
The Big Horse and Sparkle Lama Awards are my contribution the tech culture I’ve been a student of these last few years.
回中国 （Back to China)
Five years after those first conversations with Matthew, Michelle, and John, I’m headed back to China with Cloudflare!
We are expanding our presence in China, and I have the good fortune (幸福) to combine the skills I acquired in philosophy and in the Peace Corps with the skills I acquired in Silicon Valley. We will be onboarding new Chinese clients, hiring more team members, and building out partnerships with other Chinese tech firms. I’m incredibly lucky to be headed back to a country that I love and embark on a new adventure.
I have a whole new fire hose aimed at me, and I plan to drink deep. I’ve been taking Mandarin classes again, this time to learn words like encryption (加密), caching (缓存), and cloud software (云软件). I’ll be learning a whole new interpersonal skill set around working with clients in China and across Asia. And since the office is just starting, this project will be a new exercise in resourcefulness.
life_journey = ["China", "Silicon Valley", "China"]
for x in life_journey
I had no idea how much opportunity lay before me when I walked in the door as “the writer”, and I am profoundly grateful that Cloudflare took a chance on me. I plan to throw myself into this project in China, to learn and grow and contribute, and to figure out the best way to translate “Strong Work, Big Horse” into Mandarin.
A research group at NATO’s Strategic Communications Center of Excellence catfished soldiers involved in an European military exercise — we don’t know what country they were from — to demonstrate the power of the attack technique.
Over four weeks, the researchers developed fake pages and closed groups on Facebook that looked like they were associated with the military exercise, as well as profiles impersonating service members both real and imagined.
To recruit soldiers to the pages, they used targeted Facebook advertising. Those pages then promoted the closed groups the researchers had created. Inside the groups, the researchers used their phony accounts to ask the real service members questions about their battalions and their work. They also used these accounts to “friend” service members. According to the report, Facebook’s Suggested Friends feature proved helpful in surfacing additional targets.
The researchers also tracked down service members’ Instagram and Twitter accounts and searched for other information available online, some of which a bad actor might be able to exploit. “We managed to find quite a lot of data on individual people, which would include sensitive information,” Biteniece says. “Like a serviceman having a wife and also being on dating apps.”
By the end of the exercise, the researchers identified 150 soldiers, found the locations of several battalions, tracked troop movements, and compelled service members to engage in “undesirable behavior,” including leaving their positions against orders.
“Every person has a button. For somebody there’s a financial issue, for somebody it’s a very appealing date, for somebody it’s a family thing,” Sarts says. “It’s varied, but everybody has a button. The point is, what’s openly available online is sufficient to know what that is.”
This is the future of warfare. It’s one of the reasons China stole all of that data from the Office of Personal Management. If indeed a country’s intelligence service was behind the Equifax attack, this is why they did it.
Go back and read this scenario from the Center for Strategic and International Studies. Why wouldn’t a country intent on starting a war do it that way?
The collective thoughts of the interwebz
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.