Cloudflare TV

🔬 Research Opportunities @ Cloudflare

Presented by Vânia Gonçalves, Sofía Celi, Thomas Ristenpart
Originally aired on 

Transcript (Beta)

Hi everyone, welcome to Cloudflare TV. We're here today to talk about research opportunities at Cloudflare.

Cloudflare Research is going to be all over the blog this week.

You'll get the chance to hear from the researchers and engineers who do technology research at Cloudflare about deep dives, demos and product announcements.

But we also want to take this opportunity to spread the word about the different types of available opportunities in the research team to connect with academia.

Today we're opening up our visiting researcher program for next year, a program for postdocs and full -time faculty members.

We are also opening internship positions for graduate and PhD students in Europe and North America for 2022.

But before we head to the topic, let's introduce ourselves. I'm Vânia Gonçalves, Program Manager for Cloudflare Research.

I help among other tasks promoting academic and industry collaborations.

Tom, if you wouldn't mind introducing yourself.

Yeah, my name is Tom Ristenpart. I'm an associate professor at Cornell Tech in New York City and I do research in computer security, applied cryptography, technology abuse and other topics.

Sofia? Yes, thank you. Hi everyone, my name is Sofia and I'm a research engineer at Cloudflare and I mainly have been working these days on post-quantum cryptography, but I also love looking at privacy-enhancing technologies as well.

Thank you for having me. Great, so Sofia, why don't you share your experience of being a full-time researcher at Cloudflare?

Oh, for sure. So, being at the team at Cloudflare has been lots of fun.

We do a bunch of different projects, what I already touched a little bit around the topics that we do.

We have a lot of thinking about how can we make the Internet better and that means improving the security and privacy of the connections that we have and making everything on the different connections more secure.

So, we have a bunch of different programs around those. We have topics of privacy-enhancing certain connections, we have the idea of what will the future bring us in context of how we should prepare in the research for the future challenges.

For example, one future challenge is the threat of a quantum computer and that's why we also research on post-quantum cryptography.

Another future challenge could be that, well, future and past challenge is that we use a lot of passwords and maybe a password is always a little bit insecure for users, so what can we do better to make the whole password using better?

So, basically, that's what we do in the team and our work is by looking at this from a research perspective, meaning reading a lot of papers, thinking of new ideas, publishing papers, publishing articles, but also how can we integrate it in the real world because the work is not only about thinking abstractly but also how it could really be applied into real world connections, into real world products.

So, we always collaborate very interactively with different teams and different products about new ideas and new thoughts that we have.

Basically, that's how we work and I have been here a year and almost a little bit more and it has been lots of fun ever since.

Awesome. We also host research internships all year round. Can you explain a bit more how internships work in the team?

Yeah, so we always have research interns that are collaborating in the team who always bring to us new ideas of what they are looking for, what kind of research they're doing at the universities, and even in the personal life if they have certain ideas that we think that can match the team and we can take it together from them, there's always those processes.

So, we actually always look for people who want to actually have hands-on experience of like if you have this abstract idea how we're going to better implement it on real networks and on real products.

So, that's basically how internships work.

Sometimes we do calls for people to apply but that doesn't mean that you can maybe in the future collaborate in a certain project or get to know someone on the team and then with that we start the connection of someone who may want to do an internship.

Right now, we have three interns that are working on post-quantum cryptography which is something that I do and they actually, we know them because they collaborated in the past with us in a previous experiment and they like it so much working with us that they decided also to join a sentence and they are collaborating in that and the work that they do is very embedded so it's going to be one part of what they do is going to be very research or thinking abstractly but all that is going to be embedded on the team so how actually make certain parts of the Internet more secure to future adversities.

So, it's both of that and that's usually how I go.

So, but also they're encouraged to publish and to present their work.

So, how we are encouraging our interns? Yeah, so there's definitely different ways that people can do to actually publish work.

There's always the academic track which is that of course you come into a really interesting idea and you publish a paper and you submit it to a certain conference, you submit it to a certain journal and that's kind of a little bit more of an academic track but we also encourage a little bit more informal writings because we have all of this process of writing blog posts and you can directly go and write it for the whole website that you have that we have at Clovelly.

You can directly write an article or a blog post or even better you can, you don't have to write all the time.

You can always have a Clovelly TV segment as this one in which you also talk about the idea that you have been pushing forward.

So, it's either the opportunity of writing a paper for an academy journal or for a conference or also the idea of having it part of a blog post or as a Clovelly TV segment to actually show what kind of work we have been doing in the summer for example with Eton.

So, it can be either of those.

Cool. Can you also share a bit how much we encourage our interns to collaborate with other teams within the company?

Yeah, for sure. So, as I said the work that we do is not in the abstract meaning that we are just like, I don't know, people who just will be doing mathematical equations all day and not caring about anything else about any of the other teams that are working at Clovelly.

That's not actually how it happens but rather that we always open avenues of collaboration and communication with the different teams.

So, everything that we do will probably have an impact in the company itself but also in the whole Internet itself.

So, we actually collaborate actively with that. How that in practice happens is that we start a communication with someone on the team.

We get to know the team and how we can better collaborate them or support the product that they're doing or in other cases we already have an idea and we present it to them and see if indeed it matches with the understanding and with the timeline that the team that we targeted is currently having.

So, it can be either of those. Right now for example one of the things that we are thinking about is again this idea of future proofing the net and that means basically touching every connection that Clovelly has.

So, that involves going and talking to all of the different teams that are in charge of those connections and talking.

Hey, we have this idea. Does it make sense to your product?

Does it make sense to the connections that you see?

And then they take you for there and we continue the collaboration process. Very cool.

So, beyond the internship positions we have opened for the past years, last year we also extended this intern experience by hosting Tom Riesenpart as a visiting researcher during his sabbatical.

So, Tom, would you like to tell us a bit more about your background?

How and why did you decide to spend some time working with us at Cloudflare Research?

Yeah, absolutely. So, as you mentioned I was on sabbatical but even before that to maybe fill out a bit of the context, the research I like doing in academia is very, I like doing problem -driven research.

So, really trying to find key issues that practitioners are facing in industry or government or the non-profit sector and understand those real-world problems and try to work backwards towards more theoretical or deeper understanding of those problems.

And I like doing that just because one, it, you know, encourages impact often, right?

You kind of, if you're actually working on problems that are close to the things people are tackling in contemporary technology systems, you know, it's likely you'll be able to come up with some solutions that help them out.

And, you know, it's just kind of fun. I like working with colleagues, you know, who are doing different types of jobs, right, and not just get sequestered in ivory tower, so to speak, in academia.

So, you know, given that when I was on sabbatical last year, sabbatical's a, you know, basically a break that you get as a faculty member once every seven years or so, and usually the idea is to kind of renew your scholarly spirit, so to speak, right?

So, some people go visit other, you know, university centers to get some fresh ideas about problems.

A lot of people in computer science who do more applied research end up visiting companies.

And so, when I was considering what to do on my sabbatical, Cloudflare came up as a really interesting option, you know, for a number of reasons.

One, I'd had a lot of connections with members of the research team because the Cloudflare research team has had such a deep connection with the applied cryptography community over the last bunch of years.

And so, I knew the people, they seemed like they'd be awesome to work with, and also Cloudflare has this unique kind of position and mission in terms of security, which means as a, you know, as an academic, it's a setting that you can't come by in academia, right, having so many millions of customers, so many websites, etc.

So, yeah, I was really excited to come and do some work. And how was this experience like?

Yeah, it was great. So, I came and, you know, we basically, it was during the pandemic, of course, so everything was remote.

But nevertheless, the team was really welcoming, and it was very nice coming from academia that, like, is very open book in terms of like, yeah, if you need to talk to someone, get a sense of what's going on, just chat them on, you know, send them a DM or jump in the channel.

And people were really welcoming. So, that was very nice.

So, we quickly kind of iterated on trying to get a sense of like, what projects would make the most sense for me to spend my time helping out on.

And what we decided on was working on, you know, password authentication security.

This made sense, we collaborated previously, my academic group and members of Cloudflare research team on these password breach alerting services, which is basically where, you know, what happens right now is criminals and others, you know, have basically stolen lots of password databases from various websites around there.

So, there's billions of username password pairs kind of that are available to attackers.

And then what they do is what's called a credential stuffing attack.

So, they just take, you know, username password pairs from these lists, and then try logging into other websites using them.

Unfortunately, this works quite a bit of the time because people reuse passwords across different services.

And so, this ends up being a very effective means for compromising accounts, unfortunately.

So, what we've been trying to do is build protocol or what we have been doing is build protocols that help warn users if their username password pair is in a known breach.

And the key technical challenge here is how to do this in a privacy preserving way so that we're not, you know, telling users, oh, you know, share your username and password with us, but rather we have a cryptographic protocol that ensures the username password pair is not revealed to say Cloudflare if we're running such service, but is nevertheless allows them to check its status as being breached or not.

So, I ended up working quite a bit on this and actually trying to make it real, right?

We had done these academic designs and prior research, and we wanted to extend those to enhance the checks that are being done in various ways, in particular looking for like similarity comparisons.

Like if you added one to your password, add a one to the password that was breached, that's probably also kind of weak.

We want to make sure we warn users about that.

And so, yeah, I spent a lot of time basically helping architect and detail out an implementation of this service.

So, I spent a lot of time like learning how to do code reviews and write specifications and do things that I don't get to do in my day job in academia.

So, the whole experience feels a bit like an internship, right?

So, shipping code and writing code first and then shipping code and interacting with other teams.

So, yeah.

Yeah, definitely.

I mean, despite being an academic and having a lot of years, more years of experience than I'd like to relay, going from like what I do normally in academic work, working with PhD students, writing papers, thinking about algorithms and theory, to like going in the trenches, so to speak, and trying to make a real product feature.

Yeah, it's a steep learning curve. At times it's a little daunting, right?

I'd done a lot of software development work, making sure I didn't mess up the Git check-ins and all this.

So, and it was nice having really supportive colleagues at Cloudflare who like kind of understood that, you know, despite having a lot of experience, I was also there to learn things and were super helpful and, you know, gave me training wheels to start with on some of this software engineering work.

So, yeah, it was super fun and educational. And do you think there's value in spending some time not only doing fundamental research but also applied research?

Yeah, definitely. You know, I talked a lot about how I went and worked on this feature, which ended up, you know, getting shipped early this spring.

But, you know, a lot of the benefit of the visit, and I think for visitors in general, is actually also just getting a refreshed source of understanding the types of problems that are being faced in practice.

So, another real notable thing that happened while I was on the visit was, you know, at some point, the CEO, you know, asked the research team, hey, we are kind of worried about this issue of like hoarding attacks against privacy pass as a feature.

I'm not going to unpack all the technical stuff here.

But, you know, it basically came in like, oh, actually, that's something we may be able, maybe we can help defend against that by extending some of the cryptographic protocols that we had been thinking about.

And so, it seeded this very basic research question that we then, you know, worked on as a collaboration between my academic research groups and University of Washington researchers and Cloudflare, and spent months and months and months working on this, actually.

And now I have a preprint up. I think it's going to be a pretty nice paper.

So, you know, that whole concept wouldn't have come up had I not been at Cloudflare.

So, really great source of new ideas. Great. I think it has been having a great outcome.

We'll be talking about MeetMe also during this week, either in both in CFTV and in the blog on Thursday.

But what I wanted to highlight is that when we talk about applied research in STEM, we all know there is a huge gap in diversity and inclusion as well.

According to this year's Cloudflare diversity, equity, and inclusion report, about 20% of Cloudflare's technical roles in engineering, network, and information technology are held by non-male employees.

So, as highlighted by Michelle and Matthew, Cloudflare's co-founders, diversity, inclusion, and equity are essential to the success of Cloudflare's business as well.

So, this is taken very serious at the company.

So, a number of initiatives are in place, starting from the recruiting process to employee resource groups in order to support more inclusive and diverse practices.

In our team, in the research team, we also want to encourage equal opportunities and a diverse and inclusive environment.

So, here's our call also to women and non-male genders.

So, Sofia, perhaps you want to share your thoughts on diversity and representation of women in research?

Sure. So, as we know, generally in STEM, there's a lack of representation, as Vanya said, of women and non-male genders working and also researching and also studying because it's since high school and since university, since school even, that women and non-male genders are discouraged to study STEM sciences in general because there's this stereotype that, in the case of women especially, there's a stereotype that women are not interested in mathematics, for example, or that that's not in a specific field that women excel at.

So, there's this stereotype. And that's definitely something that impacts all over the career of women and non-male genders.

And the reason why it's most of the time is that because you have the stereotypes that, since very young, are put into yourself.

And the second thing is that most of the times the industry and also certain research areas, the academia also, is very male-dominated.

So, not having women's presence or non-male genders' presence often impacts because then you feel like you are the only woman in the room, in my case, surrounded by an ocean of men.

So, that happens most of the time.

So, one of the things that I really like on the team is that we have a strong women's presence because we have one research and it is leading a lot of the privacy efforts, which is Tara.

We have a really amazing colleague, which is Tania, who is always looking at everything to the detail in a very hackering way.

And I love the way she works.

And she's pushing forward that. And, of course, we have Vanya, who's here, who's the research manager.

I'm really happy that that's being pushed forward.

And myself, sometimes, also looking at post-quantum cryptography.

So, that's definitely something important to always have on the team, to have a strong women's presence, because most of the time, if you're the only woman on the team, you feel that if someone made a comment or someone, you feel like they have a stereotype that you cannot say anything because they're going to be looked like the crazy one.

But then if a lot of other people feel the same or have had experience in the past, your voice is heard and it's not treated like, you shouldn't be here.

You should be more resilient. You should just leave the team if you don't feel good enough.

That's not the case on the team. There's always a support, because there's a lot of women on the team supporting each other.

So, definitely something great.

And as Cloudflare, as well, as Vanya has been saying, one of the pushes for Cloudflare is also to increase diversity on the Internet, on the Internet's working.

So, that, for sure, is something that has been pushing.

We have a lot of already employees group that are looking into this.

So, for example, one of the employees group, specifically for women, is called Womenflare, and they often the time highlight the achievement of women or provide opportunities for the women who are joining in general as Cloudflare, either as researchers, either as people who are part of the sales team, or either as people who are part of the research team, just to provide support.

And I'm really happy, also, that we're talking today about specifically this diversity, diversity in this day, because tomorrow is another loveless day.

So, it's always good to highlight the achievements of women on that day.

Yeah. Awesome. Tom, do you think it's important to have diversity of experience in research, as well?

Yeah, yeah, definitely.

And I think there's a representation issue in terms of making it comfortable for people in the room.

But there's also, you know, I think, deep problems with not having that representation, those perspectives, actually, for understanding computer security.

And so, for example, I do a lot of work in my academic group on understanding technology abuse in intimate partner violence, which is, you know, often almost, almost is very gender-based violence kind of issue.

And the types of threat models that we see in these tech abuse things, you know, I think they just don't necessarily occur to people, right, when they haven't had those lived experiences, those challenging lived experiences.

And so, one of the things, you know, that happens over and over again, as we go share what we've heard from survivors in intimate partner violence about technology abuse, you know, we share with technology company employees, like, oh, yeah, that hadn't occurred to me that this feature could get abused in this way, right.

And to me, that's a really strong sign, hey, we need more people with more diverse lived experiences actually thinking hard about these technology problems.

Yeah, that's one thing to add as well. Yeah, it's always very important to have diversity of experience, because no matter how much you read, or how smart you are, or how many books you read, sometimes certain experiences cannot be really conveyed by just writing, but rather always conveyed by the experience itself.

I remember, some years ago, I read an article about specifically how to avoid how to avoid someone looking at your passwords.

And they were recommending, for example, my writing into your computer itself in plain text as a note.

But what they were recommending is to actually put it as a post-it on your computer.

And I always thought like, well, that's not a good general advice for security.

But in general, if you're in a situation of intimate partner violence, it's even a worse situation, because the attacker is going to be asked to have access actually to what that post-it can also has access for the device as well.

And it's something that most of the time in the community doesn't occur itself, because a lot of people don't have that experience of having to be in a relationship where with intimate gender violence is happening.

So yeah, definitely, it's good to have the voices of different experiences.

But how can we find these people with diversity of experience that connects to this?

Yeah, so at Cloudflare, we're doing lots of effort, for example, of going already on the conferences and programs that are already trying to encourage women to join the STEM sciences.

So for example, in the past, we have went to Grace Hopper, which is a great event precisely for that.

In terms of specifically security and privacy, and specifically to cryptography, I would say that even compared to other areas of computer science, women are even less on security or cryptography, maybe because the community sometimes is not so welcoming.

But there has been some efforts, and I know that there are great women non-binary gender cryptographers who are pushing it forward.

They are creating community. So you can always find women in number 30, for example, is a great group.

There's always the seminar that Shafi Goldwasser also does at the Simons Institute around precisely encouraging women to join.

And we have been thinking with some women cryptographers as well to specifically create a group that potentially is going to be called Women in Cryptography, precisely to encourage women to search for cryptography topics.

Because also sometimes difficult as a woman, sometimes you don't have access to specific literature because they actively discourage you to read certain books or read certain papers.

Or sometimes because you're a woman that comes from, in my case, from Latin America, sometimes you don't have access to those places, to those books or to those articles, because you don't have enough money to buy them or to your country these books never arrive.

So actually also creating a place where certain kind of articles or certain kind of documentation can be openly shared.

So anybody who is interested in these have a place where they can read about them.

Yeah, it's certainly something that we should tackle even before, so while at university.

So Tom, could you share some initiatives that we all as a community and also in academia, we can work out to improve a better gender balance?

Yeah, this is a really big active topic in the university setting right now.

There's a lot of emphasis on diversity, equity, inclusion, efforts.

It's something we spend a lot of time thinking about and trying to actualize in terms of like, you know, what are the types of things we can do to make this a better environment for everybody, in particular, increased representation.

You know, I think even small things can help a lot, right?

Even at the research group level, like with making sure that, you know, having some, you know, conversations about representation, about making it easier for people to talk and be communicative, right?

Trying to discourage, you know, certain behaviors, right? Like always talking over women or like always taking up all the space in a room, right?

I try to talk to my students about these things and make sure that, you know, we have some clear conversations about it.

I think that even those little things can go a long way towards trying to make a climate that's, you know, more inclusive and welcoming for everybody.

But also I get feedback from my, you know, my female identifying students, for example, and ask them, like, you know, how are things going and what do you suggest, you know, we should be doing.

At the same time, I just always like to warn that we shouldn't just be putting all of this on the shoulders of, you know, women.

So everyone needs to do, and maybe even more so, you know, the white men in the room need to do their, the heavy lifting on trying to make sure that the environment's welcoming, right?

Yeah, certainly. I think at Cloudflare, we're doing a great job in encouraging and supporting more women to join the company.

Certainly also supporting new moms also to be able to balance work and maternity at the same time, which is a big endeavor.

But also, we're really, beyond this support groups, we're really doing a lot of stuff also early at recruitment process in making sure, as Sofia said, that we are not gender biased, and we are encouraging and taking an inclusive and diverse environment in the company.

So we're just in the last seconds of the session.

It was really good to have you here as speakers, and thanks everyone for joining us today.

If you're interested in joining Cloudflare Research, check out Cloudflare careers page.

Check out also our just launched Cloudflare Research website, and at, sorry, at

Apply, check our intern positions, check our visiting researcher program as well, and I hope you join us very soon.

Thumbnail image for video "Cloudflare Research"

Cloudflare Research
Don't miss these great sessions from the Cloudflare Research team!
Watch more episodes