Cloudflare TV

What Lies Ahead for Cryptography and Why it Matters

Presented by John Graham-Cumming, Dr. Dan Boneh, Ashley Williams
Originally aired on 

Best of: Internet Summit 2018

Session 1

  • Dr. Dan Boneh - Professor of Computer Science, Applied Cryptography Group, Stanford University
  • Moderator: John Graham-Cumming - CTO, Cloudflare

Session 2

Cloudflare Engineering Manager Ashley Williams discusses common workflows and the developer experience using the Workers serverless platform, at Cloudflare Connect.

English
Internet Summit
Cloudflare Connect

Transcript (Beta)

🎵Outro Music🎵 🎵Outro Music🎵 All right.

I've got one important word written on my notes here and that is lunch.

So we're between you and lunch so I apologize if your stomachs are starting to rumble.

I have with me Dr. Dan Boneh who is professor of computer science in the applied cryptography group at Stanford University and you've also started a center for blockchain research so we're going to talk about that because that's something I'm mildly suspicious about but I hear Stanford's a good university so it's probably something in it.

But before we get started on that sort of blockchain-y kind of side of things, when I was growing up the word hacker meant someone who did something and then it we did something with computers or electronics or things and it veered into being somebody breaks into things and it sort of slightly reclaimed its place but we need to talk about the word crypto right so what's happened to the word crypto?

Yeah that's actually a pretty interesting so the word crypto I hope in this audience means cryptography.

Cryptography is the science of protecting information and more and the word crypto has morphed in the last couple of years to also mean cryptocurrencies and these days when you use the word crypto there's a bit of confusion.

Is it cryptography? Is it cryptocurrencies?

So I want to set the record straight and crypto means cryptography and I should have worn that but at the same time I have to say blockchains are a really really exciting area they're a fantastic application of cryptography so maybe we can even use the word blockchain instead of cryptocurrencies to be clear about what we're discussing.

I do want to say that every in fact we did start a new center for blockchain research and I'm really excited about the science behind behind blockchains for researchers in cryptography like me literally every project that I talk to I walk away with three new research problems to work on so there's a lot of questions that these projects bring out that have never been asked before and so this is really exciting time to work on cryptography both for protecting information and also for other its application.

Alright we'll dig into blockchain as we go as we go through this but you were mentioning to me just before just with the last talk which was about education and the previous one about usable security that you're seeing in your undergraduates a great interest in security education so can you talk about that?

Of course so let's see so if I have to ask you what is the most popular area in computer science for our undergraduates?

Let's see I imagine you all know the answers we can say it all together I'll just say it it's actually machine learning right machine learning is actually the most popular area but security is actually the most the second most popular area among our undergraduate students so our security courses our crypto courses they're very very well packed as I said second most popular area among undergrads well justified lots of jobs that are open in the industry so I'm you know we're edgy we're graduating students in the area as quickly as we can and I hope you know all of you guys are hiring them.

Okay brilliant well that's that's that's that's reassuring to know because it only seems to get more and more important to have everything be secure as we go forward.

Alright just to dig into some areas which you're actually doing work on so I was using this idea of aggregation of information how you deal with information in a secure way I think it's called PRIO right?

Yeah yeah so that's actually a good that's a really a fascinating topic to talk about so so cryptography as we said it's kind of the science of protecting information right so how do we protect information but that it goes way beyond just encryption which is what the public typically thinks of and I want to give you one example of how we use cryptography to do much more than just encrypt data and that has to do with aggregating information aggregating data so what happened was there are a lot of companies who are interested in pretty much the same problem which is the following they put their products out there and then they want to understand how their customers their users use those products so today the way that's often done is you send telemetry back from the product to headquarters and then you build statistics based on that telemetry so this comes up again and again and again in many different verticals so cars for example car manufacturers want to know how the customers use their cars you know what what features of the radio did he use did he use the you know the electronic the electric you know windshields the windows and so on so what features did he use how did he drive the cars all that information can be collected from a modern collected car and abuse for statistics cell phones want to know cell phone vendors want to know how customers use their cell phone browser vendors want to know how browser how their customers use the browsers and so on again all that information can be collected by telemetry but of course is a huge privacy it's kind of this is a good follow-up to the previous panel is a huge privacy issue here with collecting information about customers use so for example just to give you one example suppose you wanted to know you know you're a web browser and you wanted to know or maybe you're a cell phone provider and you want to know how many of your cell phones in the field are infected with particular malware yeah so today what you would do is you would have basically the phones report back whether they're infected or not and you would kind of aggregate that information over all the data that you got from the different customers the problem with that is all you were interested in is how many people are infected you weren't interested in who is infected yeah and by collecting telemetry kind of in a naive way you learn more than you need than you wanted to learn and of course you know the best way to not lose your customers data is to not collect it in the first place this is kind of a good you know mantra to live by you know if you don't the best way to not lose the data is not to collect it so the question is how do we aggregate information from our customers without actually collecting that information that's how do we learn statistics about data without learning the underlying data and that's actually an area where cryptography can help a lot yeah so there's a system that this is one example of such a system that we built called pre -oh what it does is essentially exactly that you can kind of figure out you know how many people are infected with a particular malware how many people have their home page sets to google.com how many people are currently on the Bay Bridge yeah all that information you can collect in aggregate form without learning anything about the underlying data yeah so that's what the system allows you to do and I have to say it's kind of fascinating this is actually getting deployed now there's a you'll be hearing soon there's as I said there's a lot of interest in this from many many different verticals so the pre-oh is actually starting to get used now which is kind of cool the interesting thing to say though is the way pre-oh works is it collects information in basically in secrets shared form so you can think of it as though I the you know the user sends the information to the cloud but the cloud doesn't really get to see the information in the clear nevertheless it's able to aggregate the information from all the customers and once everybody's contributed their data the data becomes the aggregate data becomes available now there's an immediate interesting problem that comes up which is since I can't see your individual contribution who's to say that you're not sending me junk data like that's way out of bounds so for example if I wanted to if I'm a I don't know I'm a maps provider I want I wanted to know how many people are currently on the Bay Bridge well if you're about to go on the Bay Bridge you have a huge incentive to report an unusually large number just from your own car say or from your own phone so that the system thinks that there is a huge number of cars on the Bay Bridge and they'll route every everywhere everyone everywhere else and you'll get a free you know an empty run through the Bay Bridge yeah so so it's kind of important to make sure that the data that people contribute is in fact in the right range and satisfy whatever predicates for validity that needs to be satisfied yeah so you don't people are not contributing junk data just just throw off the computation and actually so how do we do that that you know the cloud provider doesn't get to see the data in the clear and yet it needs to make sure the data is within range yeah so this is exactly where this beautiful application of cryptography comes in this is what's called this is an area called zero knowledge proofs where you can actually very efficiently convince the cloud provider that you're sending valid data without telling the cloud provider what the data is yeah it's kind of a magical aspect of cryptography it's kind of something that I think everybody should be aware that it's possible it's actually possible to send you data without you knowing what the data is and yet they can convince you that the data satisfies certain properties yeah so if it's just whether I'm on the Bay Bridge or not I can convince you that I sent you say an encryption of zero or one without telling you whether it's a zero or a one yeah and then once the service is convinced that the data has integrity it has validity it can aggregate it in private form and once everyone has sent their data the data becomes available the aggregate data becomes available in the clear yeah so the system that does this is called prio the the property that it's robust I can't against malicious contributions while it's called robustness and yeah it's very scalable very efficient and as I said it's actually getting deployed I've always been fascinated by zero knowledge proofs because they are one of those moments where you think about them you go how is that possible to do this thing and the example I've always seen is there are zero knowledge password systems where you can prove to a system that you know a password without revealing anything about the password even if the other end was malicious so if the other if the other end was taken over by someone else you haven't given anything away and that seems like how does how is that possible okay well I'm happy to explain how that works but now we're gonna have to go to okay let's talk about some equations although this what you said is actually really a really good point in that it is important to understand also with password management systems today when you log into a website you send the website your password right well what if it's the wrong website which is what we call a phishing attack and you send the password to the wrong website well there are good authentication systems that I can just prove knowledge of the password without actually sending the password to the other side as you said yeah now even if I'm at a phishing site the other side will get nothing yeah from from that from that interaction so you know cryptography you have to understand it's not just about encrypting data cryptography does a whole bunch of things for us and it's a remarkable tool to put to use and I'm actually really happy to see it actually getting more and more use and to be honest this is why I'm kind of excited about these blockchain projects because they are really at the cutting edge of what cryptography can provide and they're even asking questions that we as a research community never considered before so you know they're coming to us and saying can we do this X Y & Z and we go yeah that's actually a pretty good question and then we go and work on that so for us it's stopping you talking about blockchain yes till the end but I want to talk about it I want to talk about one other thing which is SG ah yes yes you know in the news today there's a scary news story about harder attack in the supply chain with chips being added to motherboards and SGX is a hardware component yes take us through what SGX is and also you're interested in the security oh yeah yeah so actually this is again something that I think that everybody needs to know about so we do a quick show of hands I'm really curious how many of you have heard of Intel SGX oh very few okay so let me do a quick recap of Intel SGX I think this is something that everybody needs to know about so what it is is basically it's not a hardware component it's something that is part of the main processor on your system and in fact if you bought a machine and on that last couple of years you already have Intel SGX built in what it is is a technology that allows you to kind of create what's called a hardware enclave so it allows you to run code on your main processor in a way that the code and the data that the code acts on are isolated from the rest of the system okay so literally you can have in your in your processor you can kind of cut off part of the processor and have it run a job that no one can see from the outside can see what it's doing not even your operating system so not even malicious entities who are on your main processor even they cannot look into the enclave at least in theory yeah so that's what Intel SGX allows you to do I think that I've actually been so interrupt you what do you do with that yeah I'm gonna explain that okay great that's that's a great question I'm gonna explain so there have been recent attacks on the hardware enclave but so Intel SGX right now is not is not as secure as we would like but you know we hope that over time it actually will become better and there are actually many hardware enclaves architectures out there Intel SGX is just one example that's shipping widely but there are many others that are available so what do we do with it well so let me talk about an application of it in the cloud and let me talk about application of it on your end user machine so in the cloud you can imagine one thing people worry about is if I send if I outsource all my competing resources to the cloud including all my data then perhaps you know a corrupt administrator could somehow get a hold of that data and do something with it you know basically we're trusting the trout the cloud to keep our data in our and our codes you know intact well with with hardware enclaves you can reduce the trust in the cloud because all your basically your code will run inside of the hardware enclave the hardware enclave will have a secret key built into it so that only inside of the enclave the data will be available in the clear outside the enclave everything will be encrypted so now even if someone tries someone in the cloud tries to exfiltrate your data in some way all they see is ciphertext the only place where data lives in the clear is inside of the enclave where no one can see it yeah so that's kind of a typical application for enclaves in the cloud we're not there yet yeah we're very far away actually for making this a reality but that's kind of the long-term vision on the end user on the end user side I want to describe something that we we did recently which I think it's kind of useful and something that well something I wanted all the time so the problem that always kind of was really frustrating to me was every time I log into a remote system and I type in my password or you know maybe I type in my social security number on my bank account number on my credit card on my tax information that information that I typed into my laptop you know I never know I mean maybe there's a key logger on my laptop and it's recording everything I type in and sending it to who knows where right I just can't tell if there's a key logger on my laptop because who knows maybe the operating system got compromised and I can't even trust my own my own operating system to tell me what's what's running on the machine so what I really wanted was a way for me to have like guarantees that whatever I type on my laptop is not visible to malware on my laptop no matter how deeply the malware is embedded on my system so only the remote website can see what I type in anything on my system cannot yeah well so hardware enclaves are actually like a perfect match for this type of problem and the way the system works it's called Fidelius by the way that's for your Harry Potter font fans I hope you recognize what Fidelius is but anyhow so the system what it does is the following so it's you know it's again it's not quite ready for deployment but let me explain how it works essentially everything that I type on my keyboard goes through a little encryption and encryption engine in the keyboard inside the keyboard yeah so literally every click gets encrypted on the way to the to the to you know to the main processor the way we do that is basically you know the way we we hack hardware these days is we using we use Raspberry Pis so keyboard is connected to a Raspberry Pi the Raspberry Pi is connected to the main machine so literally everything that I click gets encrypted at the Raspberry Pi on its way to the machine all right so fine so now we have my clicks basically are all encrypted the question is who can decrypt that that information and the answer is well you guessed it basically you can decrypt only inside of the hardware enclave so as I type basically nothing on the system can see what I'm typing other than the code running inside of the hardware enclave okay fine so we're not done yet that's step number one step number two is how do I see on the screen what I just typed right so if the hardware enclave sense the clicks that you know my keep my keys that I entered if it sent it to the graphics card in the clear well malware could just intercept it and steal it so we need to have a trusted path from the hardware enclave onto the screen and here we need we used another Raspberry Pi which where what it does is it basically has two HDMI streams going to the display one HDMI stream coming from the main graphics card and one HDMI stream coming from the actual hardware enclave yeah so the real website is rendered by the main processor and that appears in the main HDMI stream and then whatever I type in is sort of rendered by the hardware enclave and that's sent in a separate encrypted HDMI stream to the Raspberry Pi so now there are two HDMI streams one is plaintext one is encrypted going to the Raspberry Pi the Raspberry Pi decrypts the encrypted stream overlays it on top of the regular HDMI stream and then there's one HDMI cable going to the display and so you can see it because it's an overlay you can see the keys that I just typed on the screen so I can tell exactly what I what I actually just entered but the amazing thing is if you run like screen capture on the system basically the screen capture just sees an empty field like I type and type and type and I see it appearing on the display but you look at what the system thinks is on the screen and it just sees empty yeah empty empty data so this is a way for me basically to type I can see what I type but nothing on the system actually is seeing what I'm typing other than the hardware enclave and then the hardware enclave in addition also takes what I type and prepares it as an HTTP request to the remote website so it's encrypted again under the remote websites public key so that only the remote website can see the data that I just typed so these components eventually I hope the keyboard Raspberry Pi will get embedded into the keyboard the display Raspberry Pi will get embedded into the display yeah so you would just buy these secure keyboard and secure displays and now actually you're guaranteed when you're typing on your keyboard in the secure mode you have to make sure you're in secure mode then nothing on the system sees what you're typing other than the remote website and the hardware enclave which is isolated from everything else so to me this gives me kind of peace of mind now I would feel much more comfortable say doing my tax return on my computer knowing that nothing on my computer can actually steal what I'm typing fascinating so that's a kind of interesting application for hardware enclaves but I say like I said there are many many many others and it's quite promising technology all right I'm gonna unleash your blockchain knowledge yeah tell me about the Center for blockchain research okay in five minutes all right all right so blockchains yes so maybe you've noticed but blockchains is an area that's just a little bit overhyped tiny tiny bit overhyped yes I actually think that all the hype around it is causing damage to the field because it's turning away some people but when you ignore the hype there's really interesting science happening in the world of blockchains really really fascinating questions and when you start to look at like what areas of technology and beyond do blockchains affect it's mind-boggling yeah so blockchains impact distributed systems they impact programming languages we need new programming languages for writing these smart contracts if you write bugs into your smart contracts you know it's not someone some someone's computer crashing it's 50 million dollars getting locked up and no one can get that can get access to that money so there's real huge amounts of money at stake as a result of these bugs we need new verification tools to make sure that this code actually is correct and implementing things as we expect we need new cryptography which is what what I'm excited about we need new game theory new mechanism designs for correctly distributing incentives in blockchains and that actually impacts economics in fact economists are quite fascinated by what blockchain enables in terms of currencies and such and then there's a huge aspect legal aspects to cryptocurrencies and crypto tokens in fact cryptocurrencies and crypto assets have become like a pretty large subdiscipline of the law now and there are many academics and in fact legal professionals working working in this area so when you think about this I don't remember in the last you know many many years like one technology that impacted sort of all of computer science economics and law to the level the blockchain is impacting yeah so there's really massive massive ideas that are being generated here that are impacting many different fields of technology and you know there's a need for research that this is these are like fundamental questions that have never been asked before and so we realized that you know obviously researchers across the campus were waking up to these problems and there was a lot of activity around blockchains and our Center for Blockchain Research kind of brings it all together under one umbrella so we run so please come we run a lot of events on campus for for blockchain people in the blockchain space so if you're interested go to CBR Center for Blockchain Research cbr .stanford.edu you'll see there are a lot of events that we run please join their events in fact in January there's a conference that we're running on new technology new developments and blockchains it's open to everyone everything we do is free open to the public so you know please come if you want to speak you know submit proposals so it's really quite an exciting quite an exciting area and you know new developments happen every time every every day I can tell you we're teaching a course on blockchains this is the third time we're teaching this course it's very popular this this time around as you can imagine we have almost 250 students a very large number I can tell you that the number every year this is the third year we're teaching it the number of students who register for the course is correlated directly with the price of Bitcoin yeah so I'm hoping that it goes up and then next year we'll have 500 students yeah so that's my I just want to I want more students that's my interest is it directly correlated so if I could get people to go to Stanford I could affect the Bitcoin price I think it's yeah because all of it goes the other way okay unfortunately pretty yeah so then within the space so I say more keep going keep going okay so within the space of blockchain as I said I'm I'm really excited about the area of crypto research that's motivated by blockchain just because of all the new questions they're asking so let me give you just one example of something that we did that we did recently yeah so that that has to do with again with privacy privacy in the blockchain so I don't know how many of you actually know how cryptocurrencies work but I'll let me just tell you that the Bitcoin currency which is the largest one out there works basically by saying you know every time I want to pay someone I basically I have an address the payee has an address and I write to the blockchain the fact that you know Dan is paying John five bitcoins say yeah and that transaction gets recorded on the blockchain fine so if you think about that you realize wait a minute there's some something funny here so the whole world the blockchain is public it's replicated all over the world it's public so the whole world actually gets to see that I just paid John five bitcoins well I'm not sure that's something that I want the whole world to see in particular if Stanford say you wanted to pay my salary in Bitcoin the whole world would see what my salary is right or if you were a vendor who's buying you know equipment from a supplier when you have supply chain and you pay in bitcoins the whole world would see how much you're paying your supplier this is sort of fundamentally in conflict with business needs so the question is could we add privacy to the blockchain and there are many this is again faceting fascinating area could we do cryptocurrencies with privacy so there are actually cryptocurrencies that kind of provide complete privacy things like Zcash and Monero if you've heard of those there you can't tell who's paying who and what amounts completely private system we were interested in a way in a system that's kind of goes halfway and only hides the amounts so everybody will know that Stanford pays my salary everybody knows I work at Stanford but they shouldn't know what the amount is they shouldn't know what what the salary is okay so the way we do it is effectively the value that gets written on the blockchain the transaction on the blockchain says Stanford pays Dan Bonet but the amount is in some sense encrypted technically we use what's called a cryptographic commitments but the technically we can think of it as a as an encryption so the amount actually is encrypted okay fine so now we have all these transactions encrypted with encrypted amounts in the blockchain well the interesting thing is the fundamental problem with the fundamental guarantee of what Bitcoin does is it guarantees every transaction is valid one of the things where validity that validity means is that the sum of the money coming into the transaction has to be at least as big as the sum of the money coming out of the transaction so money can't be created out of thin air and everybody has to be able to verify that publicly that's kind of the public verifiability of the blockchain now I just told you all the amounts are encrypted so how do you verify that no money is created that the sum of the inputs is greater than the sum greater or equal to the sum of the outputs how do you do that can anyone think we have encrypted data that we need to prove properties of it how do we do it you tell me your knowledge exactly so that's another wonderful application of zero knowledge and just to show you why this is a new area the challenge here is data putting data on the blockchain is extremely expensive because it's replicated all over the world and it's data per transaction so you want to minimize the amount of data on the blockchain so the question is what is the what is the shortest possible zero knowledge proof that will allow us to prove that the transaction is valid so we're looking for short zero knowledge proofs yeah and so we designed a system called bulletproofs that actually gives the shortest zero knowledge proofs that we have without trusted setup and actually you know that actually is something that's getting adopted again this is why I love the space you kind of invent something and you know projects actually go and adopt and deploy it so I don't know so this is okay one example let's do this we're very close to lunch let's let the audience ask a question if there's a question let's see let's go all the way back over here enough can you talk a little bit of a little bit about homomorphic actually maybe multi -part computing Shamir secret sharing kind of the applications for that oh sure sure sure I think you started with with homomorphic encryption yeah so oh man so you're asking me in one minute to talk about homomorphic encryption okay well I'll say that 30 seconds so more thinking so fully homomorphic encryption is basically a development actually by one of my former students from a few years ago that basically allows you to compute unencrypted unencrypted data yeah so even though the data is encrypted you can still compute on that data so I can each so that I don't know that there are many applications for that technology but maybe instead of giving applications I'll just give a caveat in that fully homomorphic encryption we know how to do it now in polynomial time but unfortunately in practice it's still a little bit too slow to actually deploy in the real world so it's technology that's coming hopefully we'll you know crypto systems can only get better they can't get worse so I guess unless they're broken yeah other than that they only get better so hopefully we'll have better and better homomorphic encryption at some point that can actually be used in practice so I'll leave it at that okay we're seconds away from lunch so I'm gonna stop not have another question but so two things so lunch is on the roof and in the basement so you can choose whether you want to be in the dark or in the Sun we'll be back here at one o'clock I'll actually be back here at one o'clock with Sophie Wilson who was the designer one of the designers of the first arm chip and every single person in this room has multiple arm chips what I was basing you were using raspberry pies which are an arm core so she's going to talk about the genesis of arm and how that was great so that's a 1 p .m.

back here and then I'll be done for the day and get to have a rest but go have lunch Dan this was fascinating we could have gone on for an hour I think we should have had a whiteboard so thank you very much for joining us my name is Ashley and the title that I was given for the conference was workers developer workflow but I'm gonna take this talk in like kind of a little bit of a different direction my team members are gonna come up later today and show you a whole bunch of cool demos I'll do a couple but my real goal of this talk is I want you to understand how we think about workers developer experience and hopefully that's going to one encourage you to think that maybe we're on to something and we care about you as a developer having a good time and to hopefully get you involved and providing more feedback doing some walkthroughs with us because we really want to get to know you and we know that your time is valuable but to the extent that we can encourage you to think that we're gonna listen to really make some changes I hope that I can so with that how many people here are currently using workers all right cool if you don't I like to say this wouldn't be a business presentation if I didn't show at least one QR code so here it is this will help get you signed up for workers and I do hope by the end of this you would be excited to try it out we have a free plan so you can just play around with this if you ever deployed something on github pages just as simple try that out it's good for a little weekend hacking assuming that you're not so tired of coding by the end of the week that you're like I just want to watch TV I know how that goes all right so this is a picture of my face and this is also all of my you know connect with me on Twitter or on github but you'll see here I have this kind of like really absurd title so I am both a product manager and an engineering manager for the team with the longest name I think developer workers developer experience at Cloudflare so this is a real mouthful right what I will share is that when I joined Cloudflare it was at in late February and they kind of hired me just like generally and they were like hey you do a whole bunch of rust and WebAssembly stuff we want rust generated WebAssembly on our network come and just like do that and like all right like cool I'll do that sure um and so I kind of sat down I didn't really super know what workers was I knew it was like part of the serverless movement but it was like serverless like plus edge so we're getting like a lot of word Sally going on with this kind of technology and I was like cool let's add some more word Sally get some rust on there get some wasm like this is gonna go great on hacker news and so I sat down start working on it and a couple people were like our customers really love cutting and pasting curl commands from our docs and I was like do they all I knew was like sure I mean maybe some people are into that but that was not my style and so I whipped up this thing which I I had just moved from New York City so New York City native love me some New York City I'm so happy to be back but I moved to Austin Texas to join Cloudflare and so I was trying to like channel my like inner cowgirl I guess and so I named this CLI wrangler which after some kvetching I think Rita Rita has come to love it she's like come on what is this weird name I'm like don't like the weird name they'll like it so anyways I wrote this wrangler CLI and we realized pretty quickly that this is something that people really liked and maybe it would be cool if you could use it for more than just rust generated web assembly what if you could use it for interacting with everything and so we expanded the wrangler CLI to be the first -class official client for Cloudflare workers this is me talking about the very very important topic of pizza delivery on the stage of JS coffee you where we announced workers dot dev which is what we allow you to have your own domain you don't have to bring an origin server or anything you can have a completely originalist like no don't bring your own DMA domain name and deploy to workers and I gave an example here of client-server relationships and how it's actually like a chef your client side and they make pizza anyways you can check that out but this was the moment where wrangler became kind of this real thing and we started investing very heavily in developer experience another thing that we announced during this was that we had brand new documentation and we'll talk a little bit more about that in a second so just as a little background for me I don't like work at companies but I care a lot about open source and I care a lot about building software platforms so I originally kind of started my career working out at npm anybody run npm install yet today less than I would expect I guess it's early it's gonna come anyways but I was on the board of directors of node and then once I got all that JavaScript out of my system I decided to move on over to Mozilla where I was working on rust generated web assembly tooling and I'm also on the rust core team so supporting developers for open source software and open source platforms is really really my jam and it's something that I desperately want to bring that like kind of sense of community to the Cloudflare Workers platform so developer experience how many people think they like have a good graph of what I mean when I say developer experience team all right cool so I'd say probably around like five years ago there weren't a lot of these developer experience teams out there but they're definitely coming into fashion now which I think is cool because I think that days of I'm a developer and I should suffer for my craft are slowly going away and we're actually realizing that we can build much cooler things if we actually care about making a developers life really awesome and so I'm super here for that change because it also means that more people can to be developers than ever before because some people are just not willing to put up with bad tools so to start the developer experience team builds tools and so our primary tool is Wrangler so this is an actually an old snapshot from the NPM JS website so you can install Wrangler either using the rust package manager cargo or you can use NPM behind the hood Wrangler is written in rust this just fetches a github releases binary so if you really want to install it manually you can also do that we are actually 26 downloads away from hitting 2k weekly downloads so if you want to help contribute and trying to be the 2,000 weekly download that would be awesome but we do aim to make this easy it turns out that coming up with a way of installing software that makes everybody happy is a capital H hard problem so if you would like to use Wrangler but for some reason your setup means that this installation process is tricky we want to hear from you and that's something we'd really love to improve all right but in addition to building tools I I'm a big big believer that documentation should be considered a first-class product how many people here work at a company where the docs are a first-class product with a product manager not enough all right so part of forming the developer experience team is like if we really want to build a developer platform we need to make the documentation awesome and so that's something that we really focus on and so this is actually another old snapshot of what our docs look like today we actually released a new navigation bar so that finding things is significantly easier but it's also worth sharing that we've made our documentation open source so if you want to get that first open source pull request in because you found our typos that we totally didn't just push in there to see if you're actually reading the docs please make a pull request that would be great but we're really excited about kind of building a larger community out of this and one of the real things that we're excited about with documentation as a platform is one of the biggest questions we get with folks who are trying to kind of like they're like workers curious right they're like oh that looks cool but they go what the heck do I build with this thing as I said we've got the word salad or like it's serverless but also on the edge and you're about to hear some more where it's gonna be like Jamstack and got all these things going on it's kind of hard to imagine what maybe you could build and so that was part of the motivation behind our workers sites product where is like I don't know I build website is something web developers say and so where do I put my HTML is like I can solve that question for you but if you're interested in other types of things we have several tutorials here that will hopefully give you some sort of idea of what you can build but my team's gonna come on in just a little bit and they have a couple of things that are cooking up that are gonna make it even easier for you to kind of discover and imagine that like next cool thing you can do this platform that Uzman came up with I kind of said in his talk which I am super excited to see what people build all right so last but not least one of the other products that could be seen as maybe a side product of the documentation but I really do fully believe it's its own product is we have actually started creating this thing called the template gallery so I shared with you that I previously worked at NPM when I work on rust I've actually worked a lot on our package manager and so it's very hard for me to look at a problem and not see a package manager as a solution the engineers in here come on you understand how it's like to have one of those hammers and so one of the the commands in Wrangler which I'll talk about in a little bit is called Wrangler generate but how many people in here like writing boilerplate you know I've given this talk this is now the third time and there was always some stinker that was like I actually enjoy it but yeah yeah no one likes writing that and so while there isn't a ton of boilerplate when you're writing a Cloudflare worker again we're built on top of the open source API's of the service worker API and the fetch API so should be relatively intuitive not terribly much boilerplate but there's always some and we want to make it dead easy for you to get started and so we include what we call boilerplates which you can run Wrangler generate and that's gonna make you a worker that does something and you can just run Wrangler publish and it just works out of the box so you start with something that's working and I know Rita talked about the time to dopamine I didn't study computer science in University I studied neuroscience and philosophy because I am a weirdo but that dopamine hit is real when you're starting a project particularly with new technology if you can't get something working you know like in like a relatively small amount of time you either go this technology stinks in which case you'd be right or you go maybe I'm like not good enough to like figure this out and I would hate to imagine anybody who was using workers to feel that way and so this is something that we've built to improve that additionally have you gone to stack overflow and cut and paste some code today yeah liar I you've done it I know anyways um so we also have a section of the template gallery that we call snippets so they aren't necessarily what you would consider like a full-blown worker but they're a awesome unit of just like let's get something done for example one of the things that a lot of people often want to do is use a router how many people love writing routers I actually do I don't know that's kind of fun anyways we give you some examples of routers on the box some classic things that you might be doing and so therefore you can kind of start with that and use these building blocks to put these things together and as a small kind of like tease we're getting really excited we do have our online editor so the template gallery and the snippets are really focused on kind of Wrangler right now but we are looking to combine the experience of using our template gallery and these code snippets into our code editor how many people saw that vs online announcement yesterday that's that stuff's awesome right we're moving like I'm not saying we're gonna use vs code but we really do want to create that type of experience because we share the kind of values that a product like that would have and so we're really excited to do that kind of work but so I've said a lot of the things that we build but at the end of the day what I'd say is our team does is we ask a lot of questions and so this is a question that I would pose to you and I hope that I get to see you in the hallway at the reception to hear more about how your team is working because the big question that we ask is what makes your team productive and this is what I think is at the center of what it means to be a developer experience team all right it's like literally like what makes your developers happy and usually around now someone shouts coffee but there's other things that can make you happy right so has anybody seen this image before all right this is one of my absolute favorite images and there was like a moment when we were building rust and thinking about rust as a product that we also considered this so this is a visualization from something that Kathy Sierra very famous designer said where she says you're designing a product right and this is a mistake that lots and lots of companies make right here we have a Mario and that's a person who's a potential customer right and then you have a fire flower how many people here like know what Mario and fire flower is cool admittedly I didn't when I saw this first and I still kind of got it so hopefully I'm not losing too many people now but oftentimes a company will imagine itself as a fire flower factory right we build fire flowers and what Kathy Sierra did with this image was said alright you're making a mistake if what you think your product is is a fire flower your product is actually fire Mario the product that you are building particularly when you're focused on building tools services something that's supposed to help somebody your product is not the fire flower it is the person and the capability of that person that they become when they use your product so for me when I think about what is my real product from the developer experience team all right it's awesome workers users which is you or potentially you soon to be you right so my team's product at the end of the day is your productivity and so that's very interesting and here I hope you hear how dependent we are gonna be on you to hear what you need because we can make some guesses right but all software teams are so interesting and they're all so very different and so it's really interesting to me to learn about those different types of teams and workflows and figure out how we can make workers work for you so as I said you know we need to figure out how we can make your team a team of Mario's so we have a couple of values on the team and I'm just gonna kind of go through them so the first one that we have is developing with workers should be easy and I don't know if you've been following some of the Internet zeitgeist where it says like when you write docs you should definitely not use the words easy or just which I will say that is true and part of the reason you shouldn't say that is because if you say oh just use workers it's easy and then someone tries to do that and it isn't they're gonna feel horrible they're like not only can I not get this to work but I was told it was easy which might mean that I'm a dingus and that's gonna stink you don't want to have somebody feel that way you want people to feel as though they can approach your work and understand that what they're doing is simple but you also don't want to make them necessarily feel horrible if it didn't work when we do user research for our tools one of the biggest things that we have to tell people is that we are not judging you and your ability to accomplish these tasks if you cannot solve this task it's our fault and it is no judgment on you as a developer whatsoever so I am extremely online and so I'm on Twitter if you will follow me I apologize but this was a viral tweet that I made and you know it's a viral tweet because I spelled something wrong in it is this is a cartoon from the New Yorker and it's two women sitting on a bench and one is saying to the other I like this painting because it has a bench so I think this is a very funny cartoon and the reason I think it is funny is because it kind of breaks what your expectation would be right when you're looking at a painting most people will think that you're evaluating the painting based on some inherent characteristic of like the brush style or the era or the texture but here we're just kind of saying you know a painting that's easier to appreciate is a better painting and so sometimes I say like I'm a team that builds benches right but this is like a really interesting question and this is where I'm gonna kind of dive into like what our ideology is but we talked about easy right what the heck does easy mean and so now you can totally tell that I was like absolutely a philosophy major and now I'm like getting into the semantics of the word easy what does it mean to be anything no I'm just kidding we're not gonna go there maybe at the reception find me later all right but one of my absolute favorite statements about kind of what would it mean to be easy starts particularly from like a very high level design perspective how many people here ever the HTML 5 spec yes sometimes there's not anyone and I'm like I understand why like you know oftentimes we think specs are supposed to like be like human English I can compile directly to C++ which they definitely aren't but this one's very approachable and I would totally encourage you to read it it's actually kind of a delight but there's this amazing sentence so it starts with in cases of conflict all right and so this is I think like again a good design value consider users over authors over implementers over specifiers over theoretical purity how many people have had an argument that ended in someone fighting for if theoretical purity today yeah that's a nonzero set of people for sure it's something that I deal with as an engineer all the time as well but when you are a developer experience team and I mean if you are a standards body building the web for the world I think considering users is really really important and if there's going to be something hard I want it to be for the people who are it is who can handle it being hard and so most oftentimes that is not your end users it's often you building something out etc etc so I really really like this statement but of course this would not be a good talk if I didn't just give you some made-up numbers so this is my very specific science here and I kind of have this theory right where I say ergonomics is 80% familiarity 10% ambition and 10% laziness so sometimes people have a very visceral angry response to this suggestion but what I think this really means is at the end of the day something that you will think is easy to use is not because of some sort of objective truth about this is like objectively easier to use it is because it is using pieces of things from which you are familiar which if you are a designer doesn't actually make the problem any easier if there was some objective easy like oh that'd be so much easier as a designer this actually makes it incredibly hard particularly working on a product where you have people coming from all different types of audiences so in workers it's JavaScript based which is like really nice so we can expect people to have familiar JavaScript workflows and so how many people here have used Wrangler all right so you may or may not have noticed that it has some kind of JavaScript tooling sense now that could be considered positive or negative I know people have feelings about JavaScript tooling but we couldn't really spend a weirdness budget on doing something super wild but if I was to like kind of break down this ideology like we can motivate users with possibilities of new and more awesome experiences and I think with just the idea of workers alone we're already doing it it's like okay it's serverless it's on the edge this is motivating that's really cool and so that's the 10% ambition right and then we can also attract users with the possibility of having to do less work who would call themselves a lazy programmer in the audience favorite type of programmer yeah would love to do less work it's cool like I am very error prone don't have me do it it seems bad right and so this would be the 10% laziness but kind of at the end of the day that 80% overwhelmingly developers report that tools are more ergonomic when they match experiences that they've had with other tools and so as we continue to build out Wrangler we're looking to see what are the other tools that exist what are other people using how can we find those experiences and both make them simpler and faster but also extend them to apply to these kind of more edgy exciting technologies that we happen to work on and also calling it an edgy technology working at an edge company the pun yeah harsh audience here sorry the puns will continue no just kidding they won't we'll wait till Steve comes on I don't know if there's any puns from him all right but so we were talking kind of about values we kind of understand this is what we think about what it means to be easy to use but also we expect working on workers should be delightful and so now now I'm really leaning into that product manager role where I'm like I'm gonna build a delightful experience but like we we really really do mean it and just to kind of give you a sense so if you don't like emojis I guess fall is take a micro nap right now but we put emojis in our CLI there are kind fallbacks for people who use terminals that don't support it but we want things to be kind of playful as we said this is like a bunch of strange technology and we think that it's really exciting this is the logo for the Wrangler CLI how many people recognize that character what is it yeah all right so this this crap it is a crap correct also I just realized I said the puns would not continue but they're about to get way worse so that micro nap just keep going with that this is the unofficial mascot for the rust programming language it is a crab and their name is Ferris meaning of or pertaining to iron and if you want to refer to a group of rust programmers we go by rustations that's all real and you can look it up in the urban dictionary I've been told that it's the correct definition fascinating but just to give you a sense like this is the team that we have this is me dressed up in a crab onesie holding a knife in front of a large screen with a gif of a crab holding a knife this is all just to say the team is very very playful and very very excited and we have a lot of fun and what we'd really like is for people who are working on the workers platform to also have a ton of fun when we release Wrangler we have what we call the release sheriff so you can see one of our developers Avery here is wearing a crab beret on top of a cowboy hat doing his release sheriff duties but again we want you to have fun all right and so here's that word salad this is why we need to inject some fun into this I have been on the rust core team for a while and one of the biggest questions I always get is like how can I get my company to start writing rust and I'm like that's a really cool but also really tough question and there's a lot of process in there and I also work on WebAssembly and I get questions how do I get my company to use WebAssembly all right what we might be kind of proposing here is like you're now asking how could I get my company to use serverless edge rust and WebAssembly all at once right like oh that's that's gonna take a second right like these are all I think very new very exciting technologies that we haven't really figured out yet what is gonna be like the killer app the most awesome use case like that future is coming and it's cool to be able to like surf like kind of right on top of it be right there and play with it but this is gonna be a ride and as a result we should try and make it a little bit playful so I'm gonna round out just by saying one of the things that we're super excited about is having you build things that we can't even imagine I wrote this slide we do connects around and Usman didn't present so I just realized that this is me just like now echoing Usman both from the past in the future which is super cool but we really need you to help out with that so one of the things I'd really like to encourage you to do is participate in our user research one of my favorite things about joining Cloudflare and like leaving open like I didn't leave open source but Cloudflare like has user researchers we like will do that work it is so amazing working on like open source projects like node or rust like man I would love to have you all of this user research data that we could actually make decisions off of instead of just kind of like putting up a Twitter poll which is what I usually do so please we're really really serious about this and I can guarantee you that we have made tons of decisions based on this user research and we always need more people so please help us out with that additionally we'd really love if you installed Wrangler remember only 26 more till 2000 so please do that you do need to use the namespace we now have NPM just Wrangler without the namespace but this one will work and the other will just tell you to use this and so what I'm gonna do now is just give you like a kind of a very brief tour of what Wranglers commands are but remember that you're gonna see all of this in action with Gabby and Christian's talk later so just a quick quick overview Wrangler generate again no one likes writing boilerplate start with a scaffold that already works this any template for Wrangler is actually just a git repo so if you are working within your organization and you have the type of way that you want to run your own project you can have like a company or team specific template and just automatically works using a tool called cargo generate under the hood so just setting up those repos work great next we have Wrangler preview do you test in production another very spicy Internet topic some say it's good some say it's not really depends on how much you trust but Wrangler preview is going to let you pop open a version of your site up into a browser we've got live preload live reload so when you make changes it will update that we have a lot of incredibly cool things on the roadmap for this in q4 I will share that we are we are looking into how many people use postman here or something like that yeah hook up your postman to a live reloaded edge preview is something that we're really really excited for and should be coming by the end of q4 we're calling it Wrangler I think Wrangler proxy right now we're still in the naming phase way in but you can watch all of that progress on our github repo which is open and then additionally we're going to be having a Wrangler tail follow commands so you'll be able to see all of the stuff that's happening on your worker in real time in your terminal and then finally Wrangler publish so this will allow you just to publish right up to our edge all over the world single command how many people run multiple environments where they have like a staging or a testing all right so you're able to configure that in Wrangler so you can have any number of environments that you would like and you can be publishing those separately using those environments so we've got that and then from there you're done this is a shout out to worker sites I'm just gonna kind of run through this because I'm out of time and this is what my team will talk about we're just really excited about this I feel like there's like a huge resurgence in the idea of static sites I like this return to simplicity from like the complexity of kind of like this previous JavaScript era so just go through that they're gonna tell you this but it's fast it's performant you get that that's a rare one right the lighthouse 100 like that's nice all right so I am NOT gonna do demos because my team is going to do them but yes please sign up and I hope I've encouraged you to come get involved with us come hang out on our issue tracker we really really do want to hear from you and yeah go forth and be a fire Mario thank you