Justina Wong, Technical Support Team Lead in Lisbon, talks about what it’s like working at Cloudflare, and everything you need to know if you want to join us.
Justina joined Cloudflare about three years ago in London as a Technical Support Engineer. Currently, she’s part of their Customer Support team working in Lisbon as a team lead.
I can’t speak for others, but I love the things you can learn from the others. There are so many talented individuals who are willing and ready to teach/share. They are my inspiration and I want to become them!
On a Mission to Protect the Internet
Justina’s favourite Cloudflare products are firewall-related ones. The company’s primary care is for the customers and they want to make attack mitigation as easy as possible. As she puts it, “the fact that these protections are on multiple layers, like L7, L3/4, is very important, and I’m proud to be someone who can help our customers when they face certain attacks.”.
Cloudflare is constantly releasing new products to help build a better Internet, so product managers are always on top of tool updates to facilitate that. The company believes that it’s not only important to help customers from the product side, but it’s also as important to teach them how to help themselves so that they can fix their issues promptly without having to wait for an answer.
Company culture and Office vibes
According to Justina, one of the amazing things about Cloudflare is the unified company culture. As their SVP of Engineering, Usman, said in a recent meeting with the team, “Be helpful, look around for problems and help find solutions”.
Every Cloudflare office has its own little “flare”: London’s love of mince pies; Singapore’s super fun cultural richness in one location (they have four new years in one year, officially); and Lisbon’s forever love (and fight) for pastéis de nata.
Each office also has its own function or focus, so people working at Cloudflare get to meet very diverse individuals. For Justina, the things that she’d loved the most are learning from all of the engineers in London, picking up new customer service skills in Singapore and helping to build the new Lisbon office. She says that every time she goes to a different office, they have grown at least 50% in headcount compared to when she was last there. Talk about growth!
As a hiring manager, she also says that the company is mindful of diversity.
Like everywhere else, remote work has become the current normal at Cloudflare. As someone who enjoyed being in the office, Justina says “all the countless times I just walked over to someone to ask a question, now all turned into a chat message; or the random coffee chat when we waited for our coffee to be done.”
Funnily enough, the EMEA CSUP team is working closer than before the pandemic. Previously, each office was somewhat in its own communication bubble, now it has turned into a collective conversation. This is great for getting to know colleagues during and beyond work hours.
What you need to know if you want to land a job at Cloudflare in Lisbon
For Cloudflare, growing the team is a continuous challenge, and Justina has never needed to do as many interviews as she has done in the Lisbon office. Although it’s a huge challenge for her, it’s also fun. Since the company is hiring aggressively despite the pandemic, their teams are eager to welcome anyone who’s ready to be part of Lisbon Cloudflare.
One of the things you can expect if you work at Cloudflare is for your manager to care and for your feedback to be heard. We know these are valuable things when considering where to work. So if you’re someone who’s willing to learn and is excited about their technologies, this call is for you. The company is expanding in different markets, so they’re looking for tech candidates who can speak multiple languages.
It has now been more than 90 days since I joined Cloudflare’s EMEA Recruiting Team as a Recruiting Coordinator based in Lisbon. In a year filled with hardships for so many people around the world, I wanted to share my journey. I hope people will relate and feel encouraged to pursue their dreams, even during these challenging times.
When 2020 started, it was not in my plans to change jobs and start working at a new company, completely remote, without ever meeting my colleagues in person or visiting the office. However, that is exactly what happened, and I am so glad I did.
Interviewing with Cloudflare
The number of interviews in the hiring process at Cloudflare may feel overwhelming for some – in my case, I met 11 people during this process. For me, I was glad to have so many chances to get to know the people I would be working with. I believe I got as much out of the conversations as the interviewers did, which is great — a recruitment process should be as much about the company getting to know you, as you getting to know the company.
A great thing about interviewing remotely is that I got the chance to talk to people all around the globe, which enriched the process and my idea of Cloudflare as a company. I started to picture myself as an actual member of the team, definitely interested in working towards a better and safer Internet. Even though there were many interviews to get through, the constant communication with the team made me feel engaged and excited. In the end, the process went by quickly, even quicker than I expected.
The best thing was the outpouring of support I received from what would be my future teammates once I accepted the offer. I felt welcomed way before my actual start date!
Remote Onboarding: Adapting and Evolving
In all my previous companies, onboarding was done in person and small groups. I was not prepared for a fully remote experience with a class of more than 20 people, yet it was so smooth and well-coordinated that you wouldn’t believe it had been run virtually for only a few months!
My onboarding class included people from all over the world — Lisbon, Austin, Miami, Washington, London, Munich, Singapore… And not only that, but we were all starting different roles, from Customer Success to Engineering, and even Legal Counsel! This gave me the opportunity to know people I otherwise wouldn’t have had the chance to meet, and it allowed me to establish bonds early on with my colleagues. Given the current situation, knowing that people were in the same boat with me felt reassuring. I felt that we were in it together, in a way. Not only that, but I got everything I needed for work (and more — like a pair of Cloudflare socks!) delivered to my home, making the whole experience very comfortable for me.
Ramping up and aiming for the stars
Starting in a new role can be a daunting experience — it’s a new environment, a new team, a new project, and lots of things that could go sideways. However, there are also a lot of things that can go right!
At Cloudflare, I found an extremely welcoming, supportive team that helped me ramp up and take ownership of my work quickly and effectively. I felt so supported that I took ownership of a big project right away — Cloudflare Careers Day. Right from the start, it was clear to me that Cloudflare has ambitious goals for the growth of our Lisbon office. I thought about the ways I could help with that, and a virtual careers day seemed like a great first step to drive brand awareness and let people know we are hiring and that we are hiring! The Recruitment Team set in motion a plan to turn this idea into reality in less than three months, resulting in a successful and fun first edition of the Cloudflare Careers Day in November 2020.
Of course, there were times when I felt unsure of myself and my abilities. But this is why it is so important to be able to rely on your team. In the end, I feel I have grown a lot in just three months — not only professionally, but personally as well!
I look forward to working on more projects. I’m excited to write with this blog post, which I hope will inspire more people to take a chance, believe in themselves and just go for it! Even in these strange, stressful times, good things can and do happen, especially when you are surrounded by talented, inspiring people.
What does the future hold?
Lisbon! I am excited to help grow our Lisbon office, recruiting talented people that feel as strongly as I do about helping build a better Internet. We have many different open roles at the moment so, if you see one that suits you, take a chance and reach out. Maybe you’ll embark on a new journey, just like me.
It’s the end of the year, so we thought it would be a great time to give you an update on how we’re doing and what we’re planning for 2021. If you’re reading this, you know we like to share everything we do at Cloudflare, including how the organization is evolving.
In July, John Graham-Cumming wrote a blog post entitled Cloudflare’s first year in Lisbon. and showed how we went from an announcement, just a few months before, to an entirely bootstrapped and fully functional office. At the time, despite a ramping pandemic, the team was already hard at work doing a fantastic job scaling up and solidifying our presence here.
A few weeks later, in August, I proudly joined the team.
The first weeks
Cloudflare is, by any standard, a big company. There’s a lot you need to learn, many people you need to get to know first, and a lot of setup steps you need to get through before you’re in a position to do actual real productive work.
Joining the company during COVID was challenging. I felt just as excited as I was scared. We were (and still are) fully working from home, I didn’t have a team to work with in person. A setup like this surely looks daunting, even for experienced people.
But here’s the thing. Cloudflare isn’t just any company. We’re unparalleled because we masterfully combine scale, ambition, talent, product, vision, values, and culture in a way that’s very difficult to replicate and maintain at any other company.
We’re big, but we move fast. We’re over 1,600 working together, but it feels like a cohesive group. We’re distributed across multiple offices and continents, often working in teams with members from different time zones, but we don’t notice it. We have tools, documentation, and methodologies, but they don’t get in the way of our “shipping products” mantra. There are product owners, teams for specific features, but we all hold ownership for everyone’s work.
I felt all of this right after my orientation week. The warm welcome, the regular check-ins to say hello and see how I was doing, and everyone’s urge to make sure I was adjusting and getting all the help I needed, giving me advice, introducing me to other colleagues. Cloudflarians take genuine pride in making sure everyone feels at home. You can learn more about this experience from a Story Time segment John did with me.
Where do we stand
Cloudflare Lisbon has come a long way. We now have 74 incredibly talented people working or joining in areas such as Engineering, Security, Infrastructure, Customer Support, People, Places, Product Management, Emerging Technologies or Accounting, and growing fast.
Although the pandemic didn’t help our plans, especially those related to growing and physically working in our brand new office on Praça Marquês de Pombal, it didn’t slow us down either. November and December alone, 15 people joined the team. We’re gaining momentum.
More interestingly, we have a super diverse team in Lisbon, and we couldn’t be prouder of it. We’re putting action ahead of words and actively contributing to create more opportunities for women in technology and to attract people to work in Portugal regardless of their country of origin.
Our discussions on whether “Pastéis de Nata” is best served with or without cinnamon, our holiday traditions, Portuguese music, coffee, our frequent virtual Pub Quizzes, escape room events, and of course, the comments on shirtless Marcelo are now routine. They are evidence that we feel like a group working together, having fun while growing.
Returning to Portugal?
We live in unusual and contemplative times. Many of our emigrants living outside the country are considering returning home to Portugal and our office in Lisbon is proof of this growing movement. Portuguese returnees represent roughly 10% of our team.
The Portuguese Government has an initiative called “Programa Regressar,” where they provide tax benefits and financial assistance to support emigrants and their families returning to Portugal.
While this is great, we think it’s not enough. Moving you and your family to another country is a life-changing event. Although things like patriotism, cost of living, and tax incentives play an essential role in the personal decision process, skilled and talented people will also be looking for a great workplace and a meaningful, ambitious company to join.
This is where Cloudflare can help you. We can provide you the best of the two worlds. Living in a beautiful country, your home, while working in a world-class company, solving big problems at scale on a mission to help build a better Internet with a unique culture. Furthermore, we support your return, and we’re ready to help you in any way we can.
Cloudflare is serious about its presence in Portugal. We’re going to continue growing and investing in highly skilled talent for our Lisbon office and making it one of Cloudflare’s top locations, alongside San Francisco, Austin, Singapore, and London.
Currently, we have 28 open positions in Lisbon, and you can expect new ones to open over the upcoming weeks. Some are for teams based in Lisbon, like Data Insights and Cloudflare Radar (we’re doubling in 2021), while others will join different projects, some of which have teams distributed across multiple offices.
If you decide to apply, there are many resources you can use to learn about Cloudflare and improve your chances of snatching your dream job. Here are a few:
Our Blog. We share an unusual amount of information about our infrastructure and products, our technical decisions, architecture, and our approach to solving complex, large-scale technical challenges.
Our Official Github Page. We have open-source encoded all over in our DNA, and we like to give back to the community whenever possible. Cloudflare has over 300 public projects that you can explore, try them yourself, or fork.
Cloudflare TV airs excellent content all the time. You can check our schedule for numerous live segments with the team and guests or re-run past segments. We also have a “Best of” archive.
Finally, you can try our products. As part of our mission and values, we offer very generous free tiers to individual users and small startups. You can try our CDN features, DDoS, Workers (100,000 requests per day, with Workers KV included), and even Access for Teams (with Argo tunnel included, for companies or households under 50 seats), at no cost.
We’re a highly ambitious, large-scale technology company with a soul. Fundamental to our mission to help build a better Internet is protecting the free and open Internet. Cloudflare powers Internet requests for ~16% of the Fortune 1,000 and serves 20 million HTTP requests per second on average.
Lisbon’s combination of a large and growing existing tech ecosystem, attractive immigration policy, political stability, high standard of living, as well as logistical factors like time zone (the same as the UK) and direct flights to San Francisco made it the clear winner.
We landed in Lisbon with a small team of transplants from other Cloudflare offices. Twelve of us moved from the UK, US and Singapore to bootstrap here. Today we are 35 people with another 10 having accepted offers; we’ve almost quadrupled in a year and we intend to keep growing to around 80 by the end of 2020.
If you read back to my description of why we chose Lisbon only one item hasn’t turned out quite as we expected. Sure enough TAP Portugal does have direct flights to San Francisco but the pandemic put an end to all business flying worldwide for Cloudflare. We all look forward to getting back to being able to visit our colleagues in other locations.
The pandemic also put us in the odd position of needing to move from one empty office to another. Back in January the Cloudflare Lisbon office was in the Chiado and only had capacity for about 14 people. With our rapid growth we moved, in February, to a larger, temporary location on Avenida da Liberdade which had room for about 25 people.
And in early April, we moved to our longer term office on Praça Marquês de Pombal. Of course, by that time the State of Emergency had been declared in Portugal and the office move took place in our absence. But it sits waiting for our return sometime in early 2021.
The team that landed in Lisbon covered Customer Support, Security, IT, Technology, and Emerging Technology and Incubation, but, as we suspected, we’ve grown in many other departments and the rest of Cloudflare is realizing how much Lisbon and Portugal have to offer. In addition to the original team we now have people in SRE, Payroll, Accounting, Trust and Safety, People and Places, Product Management and Infrastructure.
Despite the pandemic we’re continuing to invest in Lisbon with 24 open roles in Customer Support, Infrastructure, People and Places, Engineering, Accounting and Finance, Security, Business Intelligence, Product Management and Emerging Technology and Incubation.
As I said in an interview with AICEP earlier this year “É nosso objetivo construir em Lisboa um dos maiores escritórios da Cloudflare” (“It’s our objective to build in Lisbon one of the major Cloudflare offices”). You can read the full Portuguese-language interview here. We continue to believe that Lisbon is a vital part of Cloudflare’s growth.
I’ve spent a huge amount of my career on aircraft and the last few months have felt very odd, but I couldn’t have been happier to find myself temporarily stuck in Lisbon. No doubt we’ll all be traveling again but this last year has confirmed my impression that Lisbon is a great place to live.
I asked our team what they’d found they love about living in Lisbon and Portugal. They came back with pasteis de nata, sunshine every day, the jacaranda trees, feijoada, empada de galinha, Joker, Super Bock, chocolate mousse being an everyday staple, Maria biscuits, quality fresh produce, dolphins, lizards in the gardens, MB Way, ovos moles de Aveiro, so great that only ~30/40min from here you get such nice beaches like the ones in Setubal, Sintra, Cascais, Sesimbra, bica, sardines, the Alentejo coastline, the chicken from Bonjardim, family friendliness and how nice it is to raise children here, fast, reliable and cheap Internet access, and so much more.
This is the text I used for a talk at artificial intelligence powered translation platform, Unbabel, in Lisbon on September 25, 2019.
Bom dia. Eu sou John Graham-Cumming o CTO do Cloudflare. E agora eu vou falar em inglês.
Thanks for inviting me to talk about Cloudflare and how we think about security. I’m about to move to Portugal permanently so I hope I’ll be able to do this talk in Portuguese in a few months.
I know that most of you don’t have English as a first language so I’m going to speak a little more deliberately than usual. And I’ll make the text of this talk available for you to read.
But there are no slides today.
I’m going to talk about how Cloudflare thinks about internal security, how we protect ourselves and how we secure our day to day work. This isn’t a talk about Cloudflare’s products.
Let’s begin with culture.
Many companies have culture statements. I think almost 100% of these are pure nonsense. Culture is how you act every day, not words written in the wall.
One significant piece of company culture is the internal Security Incident mailing list which anyone in the company can send a message to. And they do! So far this month there have been 55 separate emails to that list reporting a security problem.
These mails come from all over the company, from every department. Two to three per day. And each mail is investigated by the internal security team. Each mail is assigned a Security Incident issue in our internal Atlassian Jira instance.
People send: reports that their laptop or phone has been stolen (their credentials get immediately invalidated), suspicions about a weird email that they’ve received (it might be phishing or malware in an attachment), a concern about physical security (for example, someone wanders into the office and starts asking odd questions), that they clicked on a bad link, that they lost their access card, and, occasionally, a security concern about our product.
Things like stolen or lost laptops and phones happen way more often than you’d imagine. We seem to lose about two per month. For that reason and many others we use full disk encryption on devices, complex passwords and two factor auth on every service employees need to access. And we discourage anyone storing anything on my laptop and ask them to primarily use cloud apps for work. Plus we centrally manage machines and can remote wipe.
We have a 100% blame free culture. You clicked on a weird link? We’ll help you. Lost your phone? We’ll help you. Think you might have been phished? We’ll help you.
This has led to a culture of reporting problems, however minor, when they occur. It’s our first line of internal defense.
Just this month I clicked on a link that sent my web browser crazy hopping through redirects until I ended up at a bad place. I reported that to the mailing list.
I’ve never worked anywhere with such a strong culture of reporting security problems big and small.
We also use HackerOne to let people report security problems from the outside. This month we’ve received 14 reports of security problems. To be honest, most of what we receive through HackerOne is very low priority. People run automated scanning tools and report the smallest of configuration problems, or, quite often, things that they don’t understand but that look like security problems to them. But we triage and handle them all.
And people do on occasion report things that we need to fix.
We also have a private paid bug bounty program where we work with a group of individual hackers (around 150 right now) who get paid for the vulnerabilities that they’ve found.
We’ve found that this combination of a public responsible disclosure program and then a private paid program is working well. We invite the best hackers who come in through the public program to work with us closely in the private program.
So, that’s all about people, internal and external, reporting problems, vulnerabilities, or attacks. A very short step from that is knowing who the people are.
And that’s where identity and authentication become critical. In fact, as an industry trend identity management and authentication are one of the biggest areas of spending by CSOs and CISOs. And Cloudflare is no different.
OK, well it is different, instead of spending a lot of identity and authentication we’ve built our own solutions.
We did not always have good identity practices. In fact, for many years our systems had different logins and passwords and it was a complete mess. When a new employee started accounts had to be made on Google for email and calendar, on Atlassian for Jira and Wiki, on the VPN, on the WiFi network and then on a myriad of other systems for the blog, HR, SSH, build systems, etc. etc.
And when someone left all that had to be undone. And frequently this was done incorrectly. People would leave and accounts would still be left running for a period of time. This was a huge headache for us and is a huge headache for literally every company.
If I could tell companies one thing they can do to improve their security it would be: sort out identity and authentication. We did and it made things so much better.
This makes the process of bringing someone on board much smoother and the same when they leave. We can control who accesses what systems from a single control panel.
I have one login via a product we built called Cloudflare Access and I can get access to pretty much everything. I looked in my LastPass Vault while writing this talk and there are a total of just five username and password combination and two of those needed deleting because we’ve migrated those systems to Access.
So, yes, we use password managers. And we lock down everything with high quality passwords and two factor authentication. Everyone at Cloudflare has a Yubikey and access to TOTP (such as Google Authenticator). There are three golden rules: all passwords should be created by the password manager, all authentication has to have a second factor and the second factor cannot be SMS.
We had great fun rolling out Yubikeys to the company because we did it during our annual retreat in a single company wide sitting. Each year Cloudflare gets the entire company together (now over 1,000 people) in a hotel for two to three days of working together, learning from outside experts and physical and cultural activities.
Last year the security team gave everyone a pair of physical security tokens (a Yubikey and a Titan Key from Google for Bluetooth) and in an epic session configured everyone’s accounts to use them.
Note: do not attempt to get 500 people to sync Bluetooth devices in the same room at the same time. Bluetooth cannot cope.
Another important thing we implemented is automatic timeout of access to a system. If you don’t use access to a system you lose it. That way we don’t have accounts that might have access to sensitive systems that could potentially be exploited.
To return to the subject of Culture for a moment an important Cloudflare trait is openness.
Some of you may know that back in 2017 Cloudflare had a horrible bug in our software that became called Cloudbleed. This bug leaked memory from inside our servers into people’s web browsing. Some of that web browsing was being done by search engine crawlers and ended up in the caches of search engines like Google.
We had to do two things: stop the actual bug (this was relatively easy and was done in under an hour) and then clean up the equivalent of an oil spill of data. That took longer (about a week to ten days) and was very complicated.
But from the very first night when we were informed of the problem we began documenting what had happened and what were doing. I opened an EMACS buffer in the dead of night and started keeping a record.
That record turned into a giant disclosure blog post that contained the gory details of the error we made, its consequences and how we reacted once the error was known.
We followed up a few days later with a further long blog post assessing the impact and risk associated with the problem.
This approach to being totally open ended up being a huge success for us. It increased trust in our product and made people want to work with us more.
I was on my way to Berlin to give a talk to a large retailer about Cloudbleed when I suddenly realized that the company I was giving the talk at was NOT a customer. And I asked the salesperson I was with what I was doing.
I walked in to their 1,000 person engineering team all assembled to hear my talk. Afterwards the VP of Engineering thanked me saying that our transparency had made them want to work with us rather than their current vendor. My talk was really a sales pitch.
Similarly, at RSA last year I gave a talk about Cloudbleed and a very large company’s CSO came up and asked to use my talk internally to try to encourage their company to be so open.
When on July 2 this year we had an outage, which wasn’t security related, we once again blogged in incredible detail about what happened. And once again we heard from people about how our transparency mattered to them.
The lesson is that being open about mistakes increases trust. And if people trust you then they’ll tend to tell you when there are problems. I get a ton of reports of potential security problems via Twitter or email.
After Cloudbleed we started changing how we write software. Cloudbleed was caused, in part, by the use of memory-unsafe languages. In that case it was C code that could run past the end of a buffer.
We didn’t want that to happen again and so we’ve prioritized languages where that simply cannot happen. Such as Go and Rust. We were very well known for using Go. If you’ve ever visited a Cloudflare website, or used an app (and you have because of our scale) that uses us for its API then you’ve first done a DNS query to one of our servers.
That DNS query will have been responded to by a Go program called RRDNS.
There’s also a lot of Rust being written at Cloudflare and some of our newer products are being created using it. For example, Firewall Rules which do arbitrary filtering of requests to our customers are handled by a Rust program that needs to be low latency, stable and secure.
Security is a company wide commitment
The other post-Cloudbleed change was that any crashes on our machines came under the spotlight from the very top. If a process crashes I personally get emailed about it. And if the team doesn’t take those crashes seriously they get me poking at them until they do.
We missed the fact that Cloudbleed was crashing our machines and we won’t let that happen again. We use Sentry to correlate information about crashes and the Sentry output is one of the first things I look at in the morning.
Which, I think, brings up an important point. I spoke earlier about our culture of “If you see something weird, say something” but it’s equally important that security comes from the top down.
Our CSO, Joe Sullivan, doesn’t report to me, he reports to the CEO. That sends a clear message about where security sits in the company. But, also, the security team itself isn’t sitting quietly in the corner securing everything.
They are setting standards, acting as trusted advisors, and helping deal with incidents. But their biggest role is to be a source of knowledge for the rest of the company. Everyone at Cloudflare plays a role in keeping us secure.
You might expect me to have access to our all our systems, a passcard that gets me into any room, a login for any service. But the opposite is true: I don’t have access to most things. I don’t need it to get my job done and so I don’t have it.
This makes me a less attractive target for hackers, and we apply the same rule to everyone. If you don’t need access for your job you don’t get it. That’s made a lot easier by the identity and authentication systems and by our rule about timing out access if you don’t use a service. You probably didn’t need it in the first place.
The flip side of all of us owning security is that deliberately doing the wrong thing has severe consequences.
Making a mistake is just fine. The person who wrote the bad line of code that caused Cloudbleed didn’t get fired, the person who wrote the bad regex that brought our service to a halt on July 2 is still with us.
Detection and Response
Naturally, things do go wrong internally. Things that didn’t get reported. To do with them we need to detect problems quickly. This is an area where the security team does have real expertise and data.
We do this by collecting data about how our endpoints (my laptop, a company phone, servers on the edge of our network) are behaving. And this is fed into a homebuilt data platform that allows the security team to alert on anomalies.
It also allows them to look at historical data in case of a problem that occurred in the past, or to understand when a problem started.
Initially the team was going to use a commercial data platform or SIEM but they quickly realized that these platforms are incredibly expensive and they could build their own at a considerably lower price.
Also, Cloudflare handles a huge amount of data. When you’re looking at operating system level events on machines in 194 cities plus every employee you’re dealing with a huge stream. And the commercial data platforms love to charge by the size of that stream.
We are integrating internal DNS data, activity on individual machines, network netflow information, badge reader logs and operating system level events to get a complete picture of what’s happening on any machine we own.
When someone joins Cloudflare they travel to our head office in San Francisco for a week of training. Part of that training involves getting their laptop and setting it up and getting familiar with our internal systems and security.
During one of these orientation weeks a new employee managed to download malware while setting up their laptop. Our internal detection systems spotted this happening and the security team popped over to the orientation room and helped the employee get a fresh laptop.
The time between the malware being downloaded and detected was about 40 minutes.
If you don’t want to build something like this yourself, take a look at Google’s Chronicle product. It’s very cool.
One really rich source of data about your organization is DNS. For example, you can often spot malware just by the DNS queries it makes from a machine. If you do one thing then make sure all your machines use a single DNS resolver and get its logs.
In some ways the most interesting part of Cloudflare is the least interesting from a security perspective. Not because there aren’t great technical challenges to securing machines in 194 cities but because some of the more apparently mundane things I’ve talked about how such huge impact.
Identity, Authentication, Culture, Detection and Response.
But, of course, the edge needs securing. And it’s a combination of physical data center security and software.
To give you one example let’s talk about SSL private keys. Those keys need to be distributed to our machines so that when an SSL connection is made to one of our servers we can respond. But SSL private keys are… private!
And we have a lot of them. So we have to distribute private key material securely. This is a hard problem. We encrypt the private keys while at rest and in transport with a separate key that is distributed to our edge machines securely.
Access to that key is tightly controlled so that no one can start decrypting keys in our database. And if our database leaked then the keys couldn’t be decrypted since the key needed is stored separately.
And that key is itself GPG encrypted.
But wait… there’s more!
We don’t actually want to have decrypted keys stored in any process that accessible from the Internet. So we use a technology called Keyless SSL where the keys are kept by a separate process and accessed only when needed to perform operations.
And Keyless SSL can run anywhere. For example, it doesn’t have to be on the same machine as the machine handling an SSL connection. It doesn’t even have to be in the same country. Some of our customers make use of that to specify where their keys are distributed to).
Use Cloudflare to secure Cloudflare
One key strategy of Cloudflare is to eat our own dogfood. If you’ve not heard that term before it’s quite common in the US. The idea is that if you’re making food for dogs you should be so confident in its quality that you’d eat it yourself.
Cloudflare does the same for security. We use our own products to secure ourselves. But more than that if we see that there’s a product we don’t currently have in our security toolkit then we’ll go and build it.
Since Cloudflare is a cybersecurity company we face the same challenges as our customers, but we can also build our way out of those challenges. In this way, our internal security team is also a product team. They help to build or influence the direction of our own products.
The team is also a Cloudflare customer using our products to secure us and we get feedback internally on how well our products work. That makes us more secure and our products better.
Our customers data is more precious than ours
The data that passes through Cloudflare’s network is private and often very personal. Just think of your web browsing or app use. So we take great care of it.
We’re handling that data on behalf of our customers. They are trusting us to handle it with care and so we think of it as more precious than our own internal data.
Of course, we secure both because the security of one is related to the security of the other. But it’s worth thinking about the data you have that, in a way, belongs to your customer and is only in your care.
I hope this talk has been useful. I’ve tried to give you a sense of how Cloudflare thinks about security and operates. We don’t claim to be the ultimate geniuses of security and would love to hear your thoughts, ideas and experiences so we can improve.
Security is not static and requires constant attention and part of that attention is listening to what’s worked for others.
I was the 24th employee of Cloudflare and the first outside of San Francisco. Working out of my spare bedroom, I wrote a chunk of Cloudflare’s software before starting to recruit a team in London. Today, Cloudflare London, our EMEA headquarters, has more than 200 people working in the historic County Hall building opposite the Houses of Parliament. My spare bedroom is ancient history.
And Cloudflare didn’t stop at London. We now have people in Munich, Singapore, Beijing, Austin, TX, Chicago and Champaign, IL, New York, Washington, DC, San Jose, CA, Miami, FL, and Sydney, Australia, as well as San Francisco and London. And today we’re announcing the establishment of a new technical hub in Lisbon, Portugal. As part of that office opening I will be relocating to Lisbon this summer along with a small number of technical folks from other Cloudflare offices.
We’re recruiting in Lisbon starting today. Go here to see all the current opportunities. We’re looking for people to fill roles in Engineering, Security, Product, Product Strategy, Technology Research, and Customer Support.
My first real idea of Lisbon dates to 30 years ago with the 1989 publication of John Le Carré’s The Russia House. As real, of course, as any Le Carré view of the world:
[…] ten years ago on a whim Barley Blair, having inherited a stray couple of thousand from a remote aunt, bought himself a scruffy pied-a-terre in Lisbon, where he was accustomed to take periodic rests from the burden of his many-sided soul. It could have been Cornwall, it could have been Provence or Timbuktu. But Lisbon by an accident had got him […]
Cloudflare’s choice of Lisbon, however, came not by way of an accident but a careful search for a new continental European city in which to locate a technical office. I had been invited to Lisbon back in 2014 to speak at SAPO Codebits and been impressed by the size and range of technical talent present at the event. Subsequently, we looked at 45 cities across 29 countries, narrowing down to a final list of three.
Lisbon’s combination of a large and growing existing tech ecosystem, attractive immigration policy, political stability, high standard of living, as well as logistical factors like time zone (the same as the UK) and direct flights to San Francisco made it the clear winner.
Eu começei a aprender Português há três meses… and I’m looking forward to discovering a country and a culture, and building a new technical hub for Cloudflare. We have found a thriving local technology ecosystem, supported both by the government and a myriad of exciting startups, and we look forward to collaborating with them to continue to raise Lisbon’s profile.
Subscribe to our YouTube channel: http://rpf.io/ytsub Help us reach a wider audience by translating our video content: http://rpf.io/yttranslate Buy a Raspberry Pi from one of our Approved Resellers: http://rpf.io/ytproducts Find out more about the Raspberry Pi Foundation: Raspberry Pi http://rpf.io/ytrpi Code Club UK http://rpf.io/ytccuk Code Club International http://rpf.io/ytcci CoderDojo http://rpf.io/ytcd Check out our free online training courses: http://rpf.io/ytfl Find your local Raspberry Jam event: http://rpf.io/ytjam Work through our free online projects: http://rpf.io/ytprojects Do you have a question about your Raspberry Pi?
We had a total of 212 Mission Space Lab entries from 22 countries. Of these, a 114 fantastic projects have been given flight status, and the teams’ project code will run in space!
But they’re not winners yet. In April, the code will be sent to the ISS, and then the teams will receive back their experimental data. Next, to get deeper insight into the process of scientific endeavour, they will need produce a final report analysing their findings. Winners will be chosen based on the merit of their final report, and the winning teams will get exclusive prizes. Check the list below to see if your team got flight status.
Flight status achieved:
Team De Vesten, Campus De Vesten, Antwerpen
Ursa Major, CoderDojo Belgium, West-Vlaanderen
Special operations STEM, Sint-Claracollege, Antwerpen
Flight status achieved:
Let It Grow, Branksome Hall, Toronto
The Dark Side of Light, Branksome Hall, Toronto
Genie On The ISS, Branksome Hall, Toronto
Byte by PIthons, Youth Tech Education Society & Kid Code Jeunesse, Edmonton
The Broadviewnauts, Broadview, Ottawa
Flight status achieved:
BLEK, Střední Odborná Škola Blatná, Strakonice
Flight status achieved:
2y Infotek, Nærum Gymnasium, Nærum
Equation Quotation, Allerød Gymnasium, Lillerød
Team Weather Watchers, Allerød Gymnasium, Allerød
Space Gardners, Nærum Gymnasium, Nærum
Flight status achieved:
Team Aurora, Hyvinkään yhteiskoulun lukio, Hyvinkää
Flight status achieved:
INC2, Lycée Raoul Follereau, Bourgogne
Space Project SP4, Lycée Saint-Paul IV, Reunion Island
Dresseurs2Python, clg Albert CAMUS, essonne
Lazos, Lycée Aux Lazaristes, Rhone
The space nerds, Lycée Saint André Colmar, Alsace
Les Spationautes Valériquais, lycée de la Côte d’Albâtre, Normandie
Още едно решение на Съда за правата на човека, в което се обсъжда критичната функция на медиите по отношение на лица от съдебната система. И отново тази предметна област е подчертана като област, представляваща значителен обществен интерес.
В решението по делото Tavares de Almeida Fernandes and Almeida Fernandes v. Portugal ЕСПЧ констатира нарушение на чл.10 – свобода на изразяване.
В началото са припомнени общи принципи, които Съдът прилага при решенията по чл.10 ЕКПЧ, като се казва [53-59], че
Общите принципи за преценка дали намесата в упражняването на правото на свобода на изразяване е “необходима в едно демократично общество” по смисъла на член 10 § 2 от Конвенцията са добре установени в съдебната практика на Съда. Наскоро те бяха обобщени в решенията по дела Bédat v Switzerland (2016 г.) и Pentikäinen v. Finland [GC] ( 2015 г. ).
Журналистическата свобода обхваща евентуално преувеличаване или дори провокация (вж. Prager и Oberschlick).
Чл.10 няма указания за ограничаване на политическото слово или за дебатите по въпроси от обществен интерес (виж Morice v France 2015 г., с по-нататъшни препратки). Висока степен на защита на свободата на изразяване обикновено се предоставя, когато се засяга въпрос от обществен интерес, какъвто е случаят по-специално с функционирането на съдебната система (пак там).
Съдът винаги е правил разграничение между твърдения за факти, от една страна, и оценки. Съществуването на факти може да се докаже, истинността на оценките – не. Ако обаче дадено твърдение представлява оценка, пропорционалността на намесата зависи от това дали има достатъчна фактическа основа за оспорваното твърдение: ако не, тази оценка може да се окаже прекомерна (вж. Lindon, Otchakovsky- Laurens и др. срещу Франция).
Защитата, предоставена от член 10 на журналисти във връзка с въпроси от обществен интерес, е подчинена на условието те да действат добросъвестно и да предоставят точна и надеждна информация в съответствие с етиката на журналистиката ( виж Божков срещу България 2011 г.). В ситуации, в които има твърдение за факт без достатъчно доказателства – но журналистът обсъжда въпрос от истински обществен интерес – се проверява дали журналистът е действал професионално и добросъвестно (Касабова срещу България).
Съдът проверява дали е постигнат справедлив баланс между защитата на свободата на изразяване и защитата на доброто име на засегнатите лица. В два съвсем неотдавнашни случая ЕСПЧ продължи да определя критерии, които трябва да бъдат взети предвид, когато правото на свобода на изразяване се балансира спрямо правото на зачитане на личния живот (Axel Springer AG v Germany и Von Hannover v Germany (№ 2).
На последно място, естеството и тежестта на наложените санкции са също фактори, които трябва да бъдат взети предвид при оценката на пропорционалността на намесата. Както вече изтъква Съдът, намесата в свободата на изразяване може да има смразяващ ефект върху упражняването на тази свобода (вж. Morice ).
Накрая Съдът напомня, че взема предвид обстоятелствата и цялостния контекст, в който са били направени съответните изявления (вж. Morice, § 162).
португалски журналист пише редакционна статия, озаглавена “Стратегията на паяка”, в която дава мнението си за избора на съдия на поста председател на Върховния съд.Той е осъден да плати неимуществени вреди за нарушаване на доброто име на съдията – постъпка “с отрицателно въздействие върху личната сфера, включително семейния и професионалния кръг на ищеца”.
Въпросът е в центъра на оживени дебати в Португалия, което националните съдилища пропускат да вземат предвид. Няма съмнение, че към този въпрос има значителен обществен интерес. Съдът отбелязва изрично, че функционирането на съдебната система, която е от съществено значение за всяко демократично общество, е въпрос от обществен интерес (пак там, § 128). Лицата, които са избрани да представляват различните институции в съдебната система, също представляват значителен интерес. Следователно ограниченията на свободата на изразяване в тази сфера трябва да се тълкуват стриктно.
Според решението вече е добре установено в практиката на Съда, че членовете на съдебната власт, които действат в качеството си на длъжностни лица, могат да бъдат подложени на критика в по-широки граници в сравнение с обикновените граждани (виж SARL Libération § 74 , ЕКПЧ 2008). В същото време Съдът многократно подчертава особената роля на съдебната власт, която като гарант на справедливостта е фундаментална ценност в държава, ръководена от върховенството на закона. Може да се окаже необходимо съдебната власт да бъде защитавана срещу разрушителните атаки, когато са необосновани.
Португалските съдилища приемат, че личният интерес на ищеца за защитата на репутацията му надхвърля правото на свобода на изразяване. Те намират, inter alia, че някои твърдения в статията са прекомерни, надхвърлят границите на приемливата критика и правото на информиране и представляват атака срещу правата на личността на новия председател на ВС.
На първо място Съдът отбелязва, че тези изявления представляват оценки, при това с достатъчна фактическа основа.
На второ място Съдът приема, че националните съдилища не са коментирали метафоричния тон на оспорваните твърдения и не е обсъдено съдържанието и смисъла им. Те като че ли са разглеждали твърденията изолирано от останалата част от статията. За ЕСПЧ твърденията остават в рамките на допустимите критики и преувеличения. Португалските съдилища не обясняват в достатъчна степен как журналистът е надхвърлил правото си на критика и защо правото му да изразява своето мнение е трябвало да бъде ограничено.
На последно място, що се отнася до наложеното наказание, Съдът подчертава, че съгласно Конвенцията присъждането на обезщетение за обида или клевета трябва да е разумно пропорционално на претърпяната вреда.
В заключение: Съдът не намира, че намесата “е необходима в едно демократично общество”. Според ЕСПЧ португалските съдилища са превишили предоставената им свобода на преценка по отношение на възможното ограничаване на дебатите от обществен интерес.
Ever since the launch of the first Raspberry Pi back in 2012, one thing that has been critical to us is to make our products easy to buy in as many countries as possible.
Buying a Raspberry Pi is certainly much simpler nowadays than it was when we were just starting out. Nevertheless, we want to go even further, and so today we are introducing an Approved Reseller programme. With this programme, we aim to recognise those resellers that represent Raspberry Pi products well, and make purchasing them easy for their customers.
The Raspberry Pi Approved Reseller programme
We’re launching the programme in eleven countries today: the UK, Ireland, France, Spain, Portugal, Italy, the Netherlands, Belgium, Luxembourg, Greece and South Africa. Over the next few weeks, you will see us expand it to at least 50 countries.
We will link to the Approved Resellers’ websites directly from our Products page via the “Buy now” button. For customers who want to buy for business applications we have also added a “Buy for business” button. After clicking it, you will be able to select your country from a drop down menu. Doing so will link you directly to the local websites of our two licensed partners, Premier Farnell and Electrocomponents.
Our newest Raspberry Pi Zero resellers
On top of this we are also adding 6 new Raspberry Pi Zero resellers, giving 13 countries direct access to the Raspberry Pi Zero for the first time. We are particularly excited that these countries include Brazil and India, since they both have proved difficult to supply in the past.
In October last year, with the European Space Agency and CNES, we launched the first ever European Astro Pi challenge. We asked students from all across Europe to write code for the flight of French ESA astronaut Thomas Pesquet to the International Space Station (ISS) as part of the Proxima mission. Today, we are very excited to announce the winners! First of all, though, we have a very special message from Thomas Pesquet himself, which comes all the way from space…
French ESA astronaut Thomas Pesquet floats in to thank all participants in the European Astro Pi challenge. In October last year, together with the European Space Agency, we launched the first ever European Astro Pi challenge for the flight of French ESA astronaut Thomas Pesquet to the International Space Station (ISS) as part of mission Proxima.
Thomas also recorded a video in French: you can click here to see it and to enjoy some more of his excellent microgravity acrobatics.
A bit of background
This year’s competition expands on our previous work with British ESA astronaut Tim Peake, in which, together with the UK Space Agency and ESA, we invited UK students to design software experiments to run on board the ISS.
Astro Pi Vis (AKA Ed) on board the ISS. Image from ESA.
In 2015, we built two space-hardened Raspberry Pi units, or Astro Pis, to act as the platform on which to run the students’ code. Affectionately nicknamed Ed and Izzy, the units were launched into space on an Atlas V rocket, arriving at the ISS a few days before Tim Peake. He had a great time running all of the programs, and the data collected was transmitted back to Earth so that the winners could analyse their results and share them with the public.
The European challenge provides the opportunity to design code to be run in space to school students from every ESA member country. To support the participants, we worked with ESA and CPC to design, manufacture, and distribute several hundred free Astro Pi activity kits to the teams who registered. Further support for teachers was provided in the form of three live webinars, a demonstration video, and numerous free educational resources.
The Astro Pi activity kit used by participants in the European challenge.
Thomas Pesquet assigned two missions to the teams:
A primary mission, for which teams needed to write code to detect when the crew are working in the Columbus module near the Astro Pi units.
A secondary mission, for which teams needed to come up with their own scientific investigation and write the code to execute it.
The deadline for code submissions was 28 February 2017, with the judging taking place the following week. We can now reveal which schools will have the privilege of having their code uploaded to the ISS and run in space.
The proud winners!
Everyone produced great work and the judges found it really tough to narrow the entries down. In addition to the winning submissions, there were a number of teams who had put a great deal of work into their projects, and whose entries have been awarded ‘Highly Commended’ status. These teams will also have their code run on the ISS.
We would like to say a big thank you to everyone who participated. Massive congratulations are due to the winners! We will upload your code digitally using the space-to-ground link over the next few weeks. Your code will be executed, and any files created will be downloaded from space and returned to you via email for analysis.
In no particular order, the winners are:
@stroteam, Institut de Genech, Hauts-de-France
Wierzbinski, École à la maison, Occitanie
Les Marsilyens, École J. M. Marsily, PACA
MauriacSpaceCoders, Lycée François Mauriac, Nouvelle-Aquitaine
Ici-bas, École de Saint-André d’Embrun, PACA
Les Astrollinaires, Lycée général et technologique Guillaume Apollinaire, PACA
ALTAÏR, Lycée Albert Claveille, Nouvelle Aquitaine
GalaXess Reloaded, Lycée Saint-Cricq, Nouvelle Aquitaine
Les CM de Neffiès, École Louis Authie, Occitanie
Équipe Sciences, Collège Léonce Bourliaguet, Nouvelle Aquitaine
Maurois ICN, Lycée André Maurois, Normandie
Space Project SP4, Lycée Saint-Paul IV, Île de la Réunion
4eme2 Gymnase Jean Sturm, Gymnase Jean Sturm, Grand Est
Astro Pascal dans les étoiles, École Pascal, Île-de-France
Today is Raspberry Pi’s fifth birthday: it’s five years since we launched the original Raspberry Pi, selling a hundred thousand units in the first day, and setting us on the road to a lifetime total (so far) of over twelve million units. To celebrate, we’re announcing a new product: meet Raspberry Pi Zero W, a new variant of Raspberry Pi Zero with wireless LAN and Bluetooth, priced at only $10.
Multum in parvo
So what’s the story?
In November 2015, we launched Raspberry Pi Zero, the diminutive $5 entry-level Raspberry Pi. This represented a fivefold reduction in cost over the original Model A: it was cheap enough that we could even stick it on the front cover of The MagPi, risking civil insurrection in newsagents throughout the land.
MagPi issue 40: causing trouble for WHSmith (credit: Adam Nicholls)
Over the ensuing fifteen months, Zero grew a camera connector and found its way into everything from miniature arcade cabinets to electric skateboards. Many of these use cases need wireless connectivity. The homebrew “People in Space” indicator in the lobby at Pi Towers is a typical example, with an official wireless dongle hanging off the single USB port: users often end up adding a USB hub to allow them to connect a keyboard, a mouse and a network adapter, and this hub can easily cost more than the Zero itself.
People in SPAAAAAACE
Zero W fixes this problem by integrating more functionality into the core product. It uses the same Cypress CYW43438 wireless chip as Raspberry Pi 3 Model B to provide 802.11n wireless LAN and Bluetooth 4.0 connectivity.
Music: Orqestruh by SAFAKASH – https://soundcloud.com/safakash
To recap, here’s the full feature list for Zero W:
1GHz, single-core CPU
Micro-USB On-The-Go port
HAT-compatible 40-pin header
Composite video and reset headers
CSI camera connector
802.11n wireless LAN
We imagine you’ll find all sorts of uses for Zero W. It makes a better general-purpose computer because you’re less likely to need a hub: if you’re using Bluetooth peripherals you might well end up with nothing at all plugged into the USB port. And of course it’s a great platform for experimenting with IoT applications.
To accompany Raspberry Pi Zero W, we’ve been working with our friends at Kinneir Dufort and T-Zero to create an official injection-moulded case. This shares the same design language as the official case for the Raspberry Pi 3, and features three interchangeable lids:
A blank one
One with an aperture to let you access the GPIOs
One with an aperture and mounting point for a camera
Three cases for the price of one
The case set also includes a short camera adapter flexi, and a set of rubber feet to make sure your cased Zero or Zero W doesn’t slide off the desk.
You may have noticed that we’ve added several new Zero distributors recently: ModMyPi in the UK, pi3g in Germany, Samm Teknoloji in Turkey, Kubii in France, Spain, Italy and Portugal, and Kiwi Electronics in the Netherlands, Belgium and Luxembourg.
Raspberry Pi Zero W is available from all Zero distributors today, with the exception of Micro Center, who should have stock in stores by the end of this week. Check the icons below to find the stockist that’s best for you!
Twenty four (24) external and internal contributors worked together to create this edition of the AWS Week in Review. If you would like to join the party please visit the AWS Week in Review on GitHub. I am also about to open up some discussion on a simplified and streamlined submission process.
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.