Celebrating 100 episodes with John Graham-Cumming and friends

Two. One. Hello from Lisbon, Portugal. Welcome to This Week in NET. Say bye. Perfect. Perfect. Welcome to a very special episode of This Week in NET. Our 100th full episode. I'm your host, João Tomé, coming to you from Cloudflare's Lisbon office. Over the past three years and four seasons, we've had amazing guests, deep dives, demos, shorter updates and also live shows. The journey began in 2022 with John Graham-Cumming and me. First, I always did this show with John initially, Cloudflare CTO and Editor -in-Chief of the blog at the time. And since late 2023, we started to have other guests and amazing experts. To celebrate this milestone, we're sharing a conversation I recorded with John a few weeks ago here in Lisbon. John was Cloudflare CTO until March 2025 and is now on our Board of Directors. It's a fun chat about how the Internet has changed, how Cloudflare has grown, the Cloudflare blog that has been the main fuel for this program and podcast, and what might be coming next for Cloudflare. Because we had so much great content and guests, we'll have a second part of this episode. Let's call it Episode 100B with clips from several of the experts we had in the show over the years. Including John, of course. Last but not least, because we're in the Cloudflare Lisbon office library, let's give a book suggestion. And in this case, it's actually related to John Graham -Cumming. The Geek Atlas by John Graham -Cumming highlights 188 science and technology landmarks, including Bletchley Park, the historic site where British codebreakers led by figures like Alan Turing deciphered German Enigma codes during World War II. So, without further ado, here's my conversation with John Graham-Cumming. Did you have, in those days, a favorite moment that you felt, we achieved something here, really, truly? Maybe there were a few. I mean, Universal SSL, because what happened with Universal SSL is that we doubled the size of the web, right? And then, when Heartbleed happened, because we used OpenSSL, we thought, well, we should revoke all of our certificates. And it was such a large revocation that, rather than check certificates, Chrome actually hard-coded into the Chrome source code. If the certificate is Cloudflare with a date of before this, ignore it. It's literally in the source code. And I was like, wow. So, we made Google, they just decided to change the source code and roll out a patch to Chrome. So, that felt pretty big. So, that was a big change for the web, because Let's Encrypt was not a thing. And also, the free part, right? It was free, right? Just open it. So, it came along, and it was just great. I mean, it was all part of it, but just give that away. That felt like, whoa, we have a real power to do things. And then, we patched a couple of things where we gave the WAF away to everybody, because we thought they were serious enough. We sort of felt the power of having the large platform. That felt pretty exciting. But, you know, just the scale. You know, at some point, I would look at the statistics for how many requests per second we were doing or whatever, and it just felt unreal. Small company at the time still, but dealing with a lot. Small company, millions per second. Let's say the impact and stuff like that. And just the other day, I had a moment like that, which is I went to the Tap Air Portugal website, and when you log in, there's Turnstile. Oh. Appearing there. Appearing right there. Interesting. I believe Universal SSL for free was 2014, so early on. Early on, yeah. And it became like a motto of the company being building a great free service, free protocols, free things specifically. In what way it was a decision, Matthew explained this a lot, of the ecosystem will have more information. It helps us in general, but also it's a good thing to do. In what way, like, were there at any time pressures of, hey, we should make money from this? Okay, so occasionally people ask the question, you know, should we keep this feature for these customers or whatever like that? And so Matthew, as you say, has explained all of the benefits of the free platform, the data and optimization of our costs of bandwidth and all that kind of stuff. But if you think about, just forget about Cloudflare, if you think about technology in general, capabilities get driven down into free or cheap services over time. Things that were impossible to do before or impossibly expensive become cheaper and then end up just being part of the thing, right? That's just an inevitable part of technology. So what happens if you decide you're going to charge a very large amount of money for some feature is that you basically put a stake in the ground and say, this is how I'm going to make this money with a piece of technology that's going to become increasingly difficult for me to defend over time. Because other people are going to do it cheaper, right? And it's going to warp how I deal with my customers and it's going to, you know, warp the company around this kind of like, there's this one feature that, you know, if you want to have it, it costs you 10 ,000 euros a day, right? And you inevitably get out innovated by somewhere else because someone else comes along. And, you know, there are companies that are successful in this kind of defending kind of thing, but they're different from what Cloudflare is like as a company. And so it's a terrible mistake to think that you have to have this thing. What you should do is you should try to push down all the features all the way down to the free. Now, there may be some things where you want to limit it because it costs you a lot to do it. So you might want to say, look, there's a limit to how much you can use this thing for free. But you should never like guard it as only a technology company. And that even applies to quite enterprise type features. So, for example, very complicated access control is something that all enterprises need. They need to have, you know, control over who can access what and you can see everything. That feature needs to exist. But it also can, there's no reason why that can't exist for the free customer too. Maybe you have less, smaller limits because they don't need the more complex configuration. But I think that ultimately what happens is you protect yourself against someone out innovating you. And what the large customers are really looking for, they're not looking for do I, you know, have I got something someone else hasn't got? They're looking for the whole package of like, how do I work with Cloudflare on a long-term relationship basis? So, when you look at the enterprise kind of world up here, yeah, they want a lot of complicated features because they've got a complicated environment and they probably want integrations with things that don't exist necessarily for the free customer. But what they really want is a relationship. What they're really paying you for is you're going to be with me through my transformation of my company and the operation of this thing over time. And so that's something different from it's going to cost you X in order to get access to this one feature. It just becomes a stake in the ground where you say I have decided to live in the past today. It's interesting also because it became something that Cloudflare is known for. Yeah, it's known for, yeah. It's actually like even without thinking about it, it's actually a good marketing move. Yes, and the thing that Cloudflare has done extremely well is figured out how to use the power of the free customers to build a sustainable business from a financial perspective. That is what, you know, as much as Cloudflare is a technology company, it is also run by people who understand the business and not just the technology. And I think the mistake I made in my career over time was I loved the technology and didn't think about what the business looked like. Cloudflare has managed to do both. So as much as we're a technology company, we are a very carefully run technology company. I'm one of those that read the first blog posts, many blog posts. When did you start looking at the blog as, hey, we have a tool here that could be interesting? Well, the blog already existed before I joined. Of course. As Matthew said to me the other day, the blog was awful at the beginning. It was really naive in a sense. Yeah, and it was just... I liked to read it even... It was kind of funny because it was like very, very early, like company news, you know, kind of stuff like that. There's a new employee. Yes, exactly. It was stuff like that. It was very simple. I actually don't really remember. I just remember thinking that, you know, we could write about what we're doing. And Matthew was very much encouraging that. He was like, we should talk about what we're doing. And I just started writing stuff. Like particularly for my own blog, I'll just write whatever, right? I'll write whatever project I'm working on. And try and write it clearly. Try and write it in a way that people will understand it without sort of thinking too much about like a strategy or something like that. It's more about what are we doing? Because I think people are interested in actual real things and not, you know, thought leadership or some crap like that. True. And so I wrote an early blog about Railgun. I wrote about like all sorts of stuff like that. Matthew was very encouraging with that idea and I was happy to write that stuff up. Matthew spoke about this specifically like when there was Google out and Ston Paseka went and wrote a blog post about that. And you could see that there was an impact. People wanted to learn about that. When you also start to think of the blog as a way to explain what's happening specifically or even what you were doing. I mean, we just – the blog helped us punch above our weight. Because, you know, when we explain something like the Google outage, people are like, oh, who's Cloudflare? Cloudflare knows stuff about this. They're smart people. And, you know, that seeing the interest in the company is huge. We know from all the stats and from talking to people that people come to work here often because of the blog. They read something on the blog. They got interested enough. So it helped us present ourselves in a way. And it was a much smarter strategy than saying we're smart. Like, you know, you see people on their blogs. They're like big up the company. Just explain how you solve some problem. We solved this problem like this. And the Google thing was a great example. That was Matthew very much encouraging. He was like, write up. What happened? And when the Facebook outage happened, we got the blog post up before they came back. I mean, you know, people wanted to understand what was happening. And we had the perspective there. Yep. So it's also showing you that we have people that know, that can understand these type of things. Yeah. But also just being transparent, talking about how you built something, how things went wrong, how your thing went wrong. People trust you more. It's much more honest and human to do that than to try and like paint some picture of who you are. True. Quite interesting that it's a technical blog. But even being a technical blog, it's about humans reading what other humans are doing. Yeah. What other humans are building, understanding, seeing. And if you're transparent, it's something you feel interesting and you want to share. Others will resonate potentially with that. Well, the other thing I always felt when I was editing the blog was that what we should do for every blog post is really educate people. I would always say to people, look, your goal is to educate people. And so what you're trying to do is you've got to imagine that your reader is fairly technical, but not an expert in the domain you're reading about and wants to know. And so they're like, those are people who are hungry for knowledge. They want to learn something. So be an educator and help them understand. You've worked on many. I would say to you, you haven't explained this well enough because someone won't know what that term means or won't understand the implications or whatever. So we try to really educate people with it. And then people hopefully do learn something, but also come away feeling, oh, that was interesting to me. And so that's what we try to do with the blog. True. There are areas of culture that are not securities, of course, a normal area. Most companies have specific areas like that. But for example, the research team that started as the crypto team was not like something that every company had. No. When having a team like crypto team started being, oh, this is important. Let's have a team. The crypto team is important because crypto is important for the Internet. And so if you think about the fact that we did universal SSL very early on, and then it was like, again, if you're being technical, you need to stay up to date. And the crypto stuff has sort of special attributes. It's more mathematical. There's a bunch of pitfalls around it. So you sort of end up needing some expertise in that area. And then quite quickly, because crypto is weird, right, in that it itself gets outdated and actually endangers security, right? Nobody uses DES anymore or whatever. You have this need to stay ahead. And the horizon is a little bit longer. You're dealing with standards bodies. You're dealing with thinking about the next algorithm. So it sort of naturally has this slight longer timeline around it. So that then sort of morphed into, well, what should we be thinking about this many years out? And actually, if you think about Cloudflare's engineering, you have CJ's bit, which is quite well defined. They know what they want to build for the next three, six. They have a sort of plan on where they're going at it. And they have a higher probability of customer acceptance of their thing because they have contact with the product and managers and the customer. And if you think about the ETI organization, it's a little bit further out. It can be adopted a little bit later. More fuzzy in terms of how it will be accepted. And then you had the research team, which was much further out and much fuzzier. So it gave Cloudflare different horizons. So you want to have these overlapping worlds so that you can keep running on all this kind of stuff. Because none of those teams would do what the other one did. Right? They're different flavors of engineering. But that was not determined right from the get go. No, no, no. It developed. It developed. It became like, yeah, we should go that way. And actually, that's one of the things I think that Cloudflare did quite well, which was to... One of the things it's quite tempting to do in startups is to look at the companies that are an order of magnitude larger than you are, ask what they do, and then copy it. And it's not a bad exercise. You can certainly look, but you certainly shouldn't copy. Because it doesn't necessarily work in your culture or the structure you develop. What you should do is to be very observant about what you're doing and see where you should change to create some scenario. Like, well, we should probably be thinking longer term about crypto, right? Well, we'll have a couple of people. So you sort of organically do it rather than try and impose a structure. Great. Also curious about, also related to the research crypto team, research team, the Lava Lamp story. Yes. How that came to be? So I've looked at the emails about this. And the email says, it's from Matthew, and it was to Nick, who was running the crypto team, and just says that he and Matthew and I had been talking and had come up with this idea. I think at least me, and I think probably Matthew, had seen Lava around the Silicon Graphics, the original thing. And we had this idea that we would have this random number generator. What's nice about the Lava Lamp thing is it's an example of the sort of slightly silly, slightly playful storytelling. I think that Cloudflare has done very well. Technical. It's technical, but it's also a story, right? Absolutely. You know, that Lava Lamp wall, it's just crazy how many new stories there are, how that is captured by people. Because it helps you tell a very technical story about something. Oh, if you just say to somebody, you need random numbers for cryptography, be like, okay, fine. I need random numbers for cryptography. But if you say, we generate random numbers by Lava Lamps, people are always like, what? And now you're telling a story, and they're thinking about it. And so, the origin was one of Matthew and I, and I said, which one of us? Which is, hey, we should do that. I think Nick said it was you. I think it may have been me, but I know that Matthew and I talked about it. And then, you know, we went with this, well, now I can think of more how many it is, and kept it, and all that stuff. But it's interesting that if you tell that story to someone from a different company, maybe they will, oh, the marketing team came up with that. Yeah. And it was not a marketing team. It was all based on being geek, being technical, and wanting to do something fun with what you know, a technical, really technical thing. But the marketing team is doing something different, right? Sure. They're trying to reach people who will be customers. We weren't trying to reach customers with the Lavalamp thing. We were trying to tell a story about Cloudflare. And, you know, yes, of course, it gets in the press, people hear about Cloudflare, and it has a downstream. But if you think about what the marketing team does, and all of the stuff they prepare, all the trade shows, all the documentation, all that kind of stuff, that's a different kind of communication. I think of the Lavalamp more as more around communications than around marketing itself. True. And by the way, one of Cloudflare's secret success is Daniela's team. I mean, that comms team is extraordinarily good at what they do. At looking at the stories inside the company, is sharing them. The company, working with the press, building the relationships with people, get the stories out there. Because, you know, that doesn't cost us money if somebody writes a story about us. And the leverage on, you know, a good news story written about Cloudflare is very, very big. Is there like a moment with Zero Trust and also workers where you saw, oh, we're actually doing something that is good, that can take off from here? Well, with Zero Trust, certainly when COVID hit, and, you know, quite a few companies relied on it to do remote work. That was sort of an obvious, like, yeah, yeah, that's going to really work. But I was actually pretty convinced right from the beginning, actually, because I think Cloudflare had shown that we could out -innovate people. And the fact that, you know, Zscaler existed or whatever was almost completely irrelevant. They were going to, yeah, we were going to take off. And actually when we launched the Zero Trust stuff, we know that the CEO of Zscaler sent an internal email saying that they now had real competition. That they felt that there was real danger. So I think he was right. And, you know, I think that there was, I was pretty convinced we could build that and make it work. And the worker stuff, I think the worker stuff is just one of those things where it's like, how much have you rolled out of the platform to capture what percentage of developers? Because, you know, some developers are going to jump immediately. They're going to have a problem that fits your domain. And you just have to add more things, which is why it was good to add databases and queues and stuff like that. So you just capture more and more people. And workers for me is a thing that's just going to continue sort of doing this thing like this. It just sort of spreads out around the world as more and more people catch on to the fact that they can use the platform to build whatever application they're trying to. It's quite interesting to see how it's growing not only in user, but also in what you can do with it specifically. Yeah, and then, of course, adding on the AI capabilities as well. A lot of people want to build AI applications quickly. The workers, in terms of workers specifically, Kenton Varda was initially pushing for that. How was that process in the beginning? Well, because what happened prior to Kenton was we did actually do workers, which is that some of our customers wanted custom modifications. And that was actually built into our own code base. We had this thing called edge-side code, and that was, of course, completely unmanageable. You can't have in your actual mainline source code, oh, if customer X, here's some code. But Kenton, of course, had done this thing called Sandstorm before, which was sort of this way of running software. And so he had thought about this quite a lot. And so actually, it was a super easy decision. I was like, go for it. It reminds me, actually, of the DDoS decision, which is we were already doing DDoS stuff. And Marek came to me one day in London. He said, can I have a meeting with you? I want you all to go ahead and work on this idea about this autonomous DDoS mitigation system. And I've got this idea about how I'm going to do it. And I remember saying to him, okay, you assign all of your RADNS JIRA tickets to me. I'll fix your bugs. And you can go think about this thing. So I think the workers thing, I mean, I remember Matthew Kenton and I had lunch in a Mexican place near the office in San Francisco. And it was sort of the, yes, do it. One of the things that I noticed with so many stories I hear, not only directly from you, but from others, is the freedom to allow people to do things. They drive them. They feel that could be relevant. They want to give it a go. Yeah. And some freedom. Hey, okay, you have time. Try it. Give it a go. Also, it's part of the culture, right? I think so. I mean, I think that any good technology company unleashes the, you know, the ideas that their employees have. Otherwise, it's already hierarchical. It comes down from the top. And we were never kind of like that. And it won't keep the technical folks that wanted to build. No, it won't. And also, you just miss out on some great ideas. I mean, another idea, if you look at Unimod and Plurimod and all the stuff that does the load balancing kind of work, you know, that was, you know, Olifa's team. And they kind of made that happen. That's one of the very internal engineering kind of things. You know, no product manager is going to be like, we need to build an X like this. I think that's also part of the thing you were asking before about being a technical company is like, technologists will also spot things that are big needs that need to go out there. Interesting. I remember the Quad One story, 1.1.1, public resolver, of being like a project that was not in the cards initially. No. And it was a bit like that, right? Yeah. And also the fact that we got that IP address with the agreement with AppNIC. You talked to Jeff about it as well. And, you know, that's a great example of just something completely audacious, right? I mean, you know, Google had 8.8 or 8.8. What's better than 8.8 or 8.8? Well, 1.1.1 was, and it was essentially unused. And so it was like, can you go do the audacious thing? And, you know, if you think about that, if you just step back and you say, can we get 1.1 .1? The answer is no. It's controlled by AppNIC. You know, they're never going to. Yeah. Also, we don't want to spend any money on it either. Can we get it for free? You have to sell it, right? Right. Like, why do you want it? And give like a good argument. What are we going to do with it? Yeah. And, you know, we gave this resolver and did the privacy part of it and gave them back data, which helps them in their mission around, you know, being one of the NICs and being able to write about challenges on the Internet. Data around the Internet. It's really interesting to see in terms of technology in general, how things can evolve and being built from ideas from, oh, but we think this could be important. There's like a use case for this. And others from AppNIC, other companies, maybe something resonates with them. It's also about telling stories and being human. You don't ask. You don't get anything. That's true. You know, and just do it. Like, just do it. Like, ask someone. Do the thing. You know, do this audacious thing. I'm laughing because just do it. I heard a few times in something I was preparing yesterday. So, it resonated. I think that, you know, I certainly saw from Matthew while I was working for him, it's just like, just try it. Just be ambitious about it. Last but not least, what is the thing about the Koffler blog? And Koffler, you think, should be known, should be out there. You wrote a message when you stopped being the editor-in-chief of the blog last year that spoke about many things. We spoke today about humans, about technology, about making it interesting, about educating people. You actually said three times, educate, educate. Yeah, yeah. I do, yeah. What would be the thing you think should be well-known about that amount of work and the legacy that it brings as well? I don't know, but what comes to mind when you're speaking is that we are a very technical company. We're selling a technical product to technical people. It's very easy to forget that all of that technology, all of this stuff is made by people. And, you know, often, I used to do these final calls, right, the final interviews with people. And a very common question was, what's Koffler's biggest challenge? People would always ask this question. And I would always say it's hiring people because, fundamentally, all of this is about people. All of it is about finding the right people to put in teams, about finding the right people to go out and sell, about finding the right people to express things on the blog. It's about human communication. It's the magical thing that makes it work. And so I feel like, you know, that is what you have to spend time on, is the teams and the people, the community, how you do it. And so when I think about the blog, the reason I was like, educate, educate, educate, is it's sort of respectful of the reader's time because you want the reader to not feel like you're arrogant or showing off. You want them to come and feel educated and happier and learned and enriched by the experience. So, again, it's just very much a focus on the person who's on the other side of the screen. Last but not least, why did you want something like Radar around? Well, Matthew wanted it. Again, we have a unique perspective on the Internet. Don't just keep it for yourself. Put out there what we can without invading anybody's privacy. You know, talk about the trends. It has the same function in a way as the blog in the sense that it gets people interested in Cloudflare, but it also shows the transparency. And it's a benefit. Who can find out? You know, look what happened in Portugal with the outage, with the electricity outage. We can see how different things happen, which others can't see, couldn't tell other people. And sharing those stories also is part of the human collective memory. Completely. And now, you know, we have the AI assistant and the API, and you can go in and match that up in a way that, you know, if the data wasn't there, you couldn't even think about the question you're going to ask. Where do you see Cloudflare going? I think Cloudflare is one of the, will be one of the iconic Internet companies. I think you'll end up in a situation where it's, you know, it's Microsoft, Google, Amazon, Meta, Cloudflare. Anything you're most excited about, even being on the board and having that knowledge of what's coming specifically for the company? Any area that you feel that could be expanding with AI now, for example? Well, I think that we mentioned earlier, that I mentioned earlier, that Cloudflare has never changed direction. And I think that's incredibly exciting because Cloudflare knows where it's going, right? Along the way, you have to figure stuff out, but it's like, there's a very clear direction. And I think, you know, Mark Anderson joined, CJ, Brent is working very closely with Mark. I think you're seeing a, like Cloudflare grew and grew and grew and grew and grew. But I think it's just going to do this. It's going to grow incredibly. And I think you're going to see that Cloudflare is an absolute household name. And so it's not a specific technology. And I think the AI work is fantastic, but I think it's this incredible platform. Because when a customer buys a Cloudflare product, a lot of what they're doing is buying into the network. And then they can add from there. And that's pretty huge. It is. It is. And not many companies can do that. Favorite Cloudflare product. See, you know, in my retirement blog, I said that this was like trying to choose your favorite child to sell. I know. So, I mean. You can give more than one. I'm going to say that my favorite thing is our DDoS platform. And the reason it's our favorite thing is it's not the architecture I wanted. And so it was a lesson in humility. Because what I wanted to do was build these massive scrubbing servers that would cost a fortune, have all this cool technology in it. Because I like technology. And Matthew was like, no, that's the wrong thing to do. You need to do it distributed. Because, of course, that ends up being cheaper and more resilient and more scalable and the stuff. And I think the DDoS stuff has proven itself under really high loads. And I was wrong. And there's a quarter reports about DDoS. It's still a thing. It's still crazy. Actually, this one, maybe it's similar. Most underrated Cloudflare innovation. It's probably actually going to be Cloudflare calls, actually. Cloudflare calls could become something that you don't even realize is being used for all sorts of stuff. I think it's definitely underrated at this point. And stay tuned for several clips of this program with some of the experts that participated.