Cloudflare's Speed Week teaser, APIs, exam-related shutdowns and WarGames 40 years-in
Welcome to our weekly review of stories from our blog and other sources, covering a range of topics from product announcements, tools and features to disruptions on the Internet. João Tomé is joined by our CTO, John Graham-Cumming.
In this week's program, we give you a teaser of what to expect from our Speed Week 2023. It’s our next innovation week, which is coming after this Sunday, full of announcements, new tools (that include AI and machine learning), and performance metrics. We also discuss the importance of Cloudflare API Gateway and of API-driven applications in general — given that now our service can protect GraphQL APIs against malicious requests. We also explain how exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test, and are recurrent in several countries.
Our fun fact of the week is related to the 40 years of the American science fiction techno-thriller film, WarGames — it was released in June 1983.
At the end, we have in our "Around NET" short segment, Mark Steyn, a Scottish Web Engineer, based in London, from our Product Experience team. He shares how he is doing a “50,000 steps for 50 days” challenge for his 50th birthday that also includes giving money to charity that offers support to children who have been bereaved.
You can check the blog posts:
- Protecting GraphQL APIs from malicious queries
- Exam-related Internet shutdowns in Iraq and Algeria put connectivity to the test
Follow the Speed Week 2023 hub for updates: cloudflare.com/speed-week/
Transcript (Beta)
Hello everyone and welcome to This Week in Net. It's the June 16, 2023 edition and in this case we're coming up on our Speed Week, so it will be next week, so we'll have a teaser about our Speed Week.
I'm João Tomé, based in Lisbon, Portugal, and with me I have as usual our CTO John Graham-Cumming.
Hello John, how are you? Hello, good afternoon.
Good evening for those out there. Good morning. Good morning, exactly.
Let's put it all into context. This next week we're going to have our Speed Week 2023, before it will be of course an important innovation week for us, as usual.
Next week's going to be a busy show and I don't know how we're going to get through it all because I've been reviewing the blog posts for Speed Week and there are, wait for it, 37 of them.
37 in five days. That's more than Developer Week that we had a few weeks ago.
That's right, yeah. It's roughly seven a day.
So a lot of announcements, deep dives, peculiar things, measurements, showing why we're faster, how we're faster, stuff about purging and Zero Trust and the network performance and broadly and workers and improving our KB store.
I mean all sorts of stuff around speed.
Yes, so that starts on Sunday. On Sunday, this coming Sunday, and it'll be the full week, right?
Yeah, it'll be the full week. It's a full innovation week.
So let's start with some of the blog posts from this week.
Actually, why not start about the importance of API, and in this case of Cloudflare's API Gateway, because we have a related blog post this week.
For those who don't know, what is the importance of Cloudflare's API Gateway?
Well, so I mean we have this product, it's called API Gateway, somewhat unimaginatively, and I mean a huge percentage of our traffic is from APIs, and APIs are behind, well, most websites now and also apps and everything else.
And what you want from an API Gateway is security.
So obviously APIs are a way in which apps and websites get abused.
So really protecting APIs themselves, which is a little bit different to protecting a website.
Management, monitoring, understanding how the API is used, authentication, routing, and then all the other stuff that Cloudflare does, right?
DDoS protection, SSLs, termination, load balancing, all those kind of things.
And so API Gateway is the product in our suite, and I guess the thing we're talking about this week is about GraphQL.
Exactly. Actually, just a fun fact, our API was announced last year, in March last year.
It was about a year ago that we announced API Gateway, exactly, and it's grown a lot, and we built a lot of functionality into it, and now we have this announcement around GraphQL about malicious queries.
Before going to the blog post, I think that it's also relevant to understand that API -driven applications are really important these days in terms of the Internet, right?
It was not the same Internet a few years ago in terms of the need for APIs.
Yeah, absolutely. I mean, APIs are a massive thing in terms of, you know, a lot of websites, and ours is a good example.
There's the website that you're looking at, and it is calling APIs on the back end to get information that gets displayed to you, apps you're using on your phone are calling APIs, you know, and so these are a vital part of how the Internet operates today.
Exactly, and going to the blog post that we published this week, it's a very specific protection in this case.
Well, it's about GraphQL. So, GraphQL is a very popular way through an API of querying data, and so it's a query language, the QL stands for done over HTTPS or HTTP, hopefully HTTPS, and it's fantastic, and we use it extensively in Cloudflare's analytics product, it's a user interface, it uses GraphQL, it's a way in which someone can get information, we do it in Cloudflare Radar as well, you can get information out of a system by querying the things you want to have, fantastic, but the problem is that power gives attackers power to take down an endpoint, take down an API, which can cause your website, your app to stop working, and so we've seen these kind of attacks against GraphQL endpoints, and so we're introducing a specific protection against these kind of attacks, and what a lot of these attacks doing is they are trying to nest information, because GraphQL allows you to make quite complicated queries, and if you can nest lots of things, it causes the back end to do a lot of work, this is sort of no different than the sort of attacks people make against normal kind of databases, we're just doing it with GraphQL, and so people, there's an example in here of how this operates, and so we have protection now against this, we built in Rust a very, very, very fast microseconds latency GraphQL parser, which allows us to look at the structure of the GraphQL coming in, and decide whether it is valid or not, or whether it is likely to cause a problem on the back end, and now we've given users, if you have a GraphQL API, you can go in and you can configure, in particular, the amount of nesting that's allowed, and that will actually hopefully protect your application from these kind of attacks.
Exactly, there's a few charts here explaining that, also how can you, in a sense, get started.
And for me, even learning about how the Internet works, and all that, it's quite amazing to see that, of course, if people are using more APIs, maybe there's a new way attackers can can explore vulnerabilities, right?
So the work on the attackers will go after anything they can, right?
And I remember one really great crafty attack, which was on a Bitcoin, a site that you could buy Bitcoin, and what the attackers did was they realized that they could open an account, not buy any Bitcoin, and ask for the balance on the account.
The balance would, of course, be zero, but in order to find out that the balance was zero, the website would go back to their database and query, has this user done any transactions?
Have they bought any Bitcoin?
And so that was an expensive operation, and so what the attackers did was they opened thousands of accounts, never bought any Bitcoin, so it was completely free to them, and then they attack websites by just saying, what's my balance?
What's my balance? What's my balance? And so attackers will look for these kind of weaknesses where something is slow, and GraphQL is just the latest in a long line of things that are attackable.
Exactly, and in that case, possibly those who started that service didn't think of that possibility, hey, maybe hackers will use this for attacking us, so sometimes...
Yes, that's actually very, very common. People don't think about the malicious use of a service, and also people often don't think about...
If you might think about a customer, one customer with something in their account, or nothing, they don't often think about what I call horizontal attacks, which is make a thousand accounts and use those a thousand accounts to do something.
This sort of thing attackers do, they sit there and think about, well, what would I do if I did this?
Would this work? Exactly, and there's also some asking for feedback here in terms of features, something really important for the products to be steady and whole.
So this is about, in this case, APIs.
New feature in our API gateway. Yep, if you go across QL and you're having attacks, we can help you out.
Exactly, and another blog post on a different matter, so not a feature per se, but on something that is happening in terms of a few countries, Iraq and Algeria in this case, and it's something actually you wrote about it also a few years ago, about Sudan, about all sorts of countries, and this is related to exam-related Internet shutdowns in these types of countries, in this case, Iraq and Algeria, this past month, and is ongoing, so it continues, where connectivity is put to the test.
For those who don't know, in some countries, in this case, Iraq and Algeria, governments shut down the Internet during exams, so it's for a few hours.
There are organizations trying for governments not to do that because that has an impact on the whole country, financial, but even in terms of social impact, so it's a true countrywide impact, but this has been recurrent, right?
As you say, this has been recurrent, right? We mentioned here in Syria and in Sudan, and as you said, I've written about it in the past, and it's a quite common thing to see happen where, to prevent cheating in exams, the Internet gets shut off.
In some cases, it's not the entire Internet. Sometimes it's blocking WhatsApp or other tools that might be used for cheating, but if you take a look down here, you're going to see in Iraq that you can guess when the exams were because there's these big dips in Internet use.
You can see these tremendous drops, and this will often happen around final exams in schools or exams for things like getting into the civil service or other high-value exams like that.
In the case of Iraq, it doesn't seem like it dropped. It went offline completely, but it was pretty big, so it's probably the case that they shut down, as you can see here, they shut down mobile networks in particular because people will have their phone with them.
It's probably the case that businesses that have broadband connections in the offices were still working and probably people at home, but as you can see, you see these total shutdowns in some areas, cell phone access, etc.
This is a relatively short period. It's a couple of hours, but in other cases, we've seen very long shutdowns of Internet use during exam periods.
I think if we go down to look at it, you see all these drops here, right? If we skip over it, you can actually see DNS queries changing as people are trying to get access to things and can't get access to things.
In Algeria, what's interesting is it points out here that quite a lot of governments publicize this.
They'll announce, tomorrow between 8 and 12, the Internet will be off.
They'll publish what's going to happen.
You can see this quite clearly in the trends in Algeria, where you see these areas where the Internet use dropped and then actually came back on again because they, in fact, turned the Internet back on around lunchtime.
That's what we do.
That's a very specific moment. Exactly. You can see it very clearly.
You can see when lunch happens as well. This is relatively common in some countries to help stop cheating.
True. There's a few things we can mention here. First we're testing directly from radar our embedded charts.
These charts that we have in the blog, those are embedded so people can interact with those and they can choose and see by themselves what time was this spike, things like that.
This is something new.
There's a really nice piece of functionality, right? If you see a chart on radar, you can actually take it, put it in a website of your own and then embed it.
Then it's actually interactive at that point, which is really, really cool.
These are not just images. Also, you've got the annotations here, these little orangey colored areas where we're able to say we know what this is.
We know why there was something that caused this change in traffic.
Exactly. There's a link to Twitter.
Actually, this is about the blog post. I can give the example of how we do these types of things.
It's the share button on radar and you can copy the code to get the chart you want.
If you select, you take something out, it will be as you selected before.
That's really helpful.
You can use fixed time data, but also real time data, which is amazing to be honest.
This is on radar .holster.com. Another thing I think we could mention here in this case is quite general.
As a former journalist, I was very curious about why countries do this.
Why Syria, Sudan, Iraq, Algeria, recurrently do these types of shutdowns.
It's exams, but in what way people are not cheating without Internet for two hours or four hours.
I got the chance to see an Internet society conference where they explain a bit of why this happened.
Apparently, in some of these countries, it's common that there are leaks of the exams a few hours before.
Because the exams are leaked, they are shared over social media or other apps.
That's why in these countries, they hope that by blocking social media or messaging or the Internet, as it turns out, it's sometimes this later one that's common.
They hope that it will avoid cheating. But from what the Internet society said in that talk was, it's not very successful because sometimes the leaks come a day before.
The Internet was available at that time. But at least the governments can say they're doing something about it.
Of course, this has a real world impact in terms of e -commerce sites and all that.
It has a huge impact, actually.
I remember talking to some folks when there was Internet shutdown in Ethiopia.
Some small business folks who had a business online. The Internet was going to be shut off for quite a lot of time, for a week.
They decided it was actually financially better for them to fly to Kenya and continue on their business for a week in Kenya and then come back to Ethiopia.
That was pretty wild.
Yeah, so they were traveling and changing their business to get Internet access.
That's incredible. And from my understanding, of course, although it has a real world impact in these countries, some of these countries' services are not as big as in Portugal, for example.
If something like this happened in Portugal, I think that would be a revolution, to be honest.
Especially if Benfica was playing at that time and people were trying to watch the match.
That's true.
That's absolutely true. So if it's a country where services are really big, so online is really big, that also has a higher impact, I think.
Didn't we see during the World Cup that in Iran, the Internet was operating when Iran was playing, and then they shut it off again immediately after the matches ended?
Immediately after the match was ending.
Right, like a few minutes after. That was true, yeah.
There you go. So that's football and the Internet. True, absolutely true.
Now, actually, we don't have more blog posts this week, but next week will be an amazing thing.
Brace yourselves. So why not go over a little bit of what to expect for Speed Week?
You already gave some teaser points at the beginning, but for those who are listening to this, what are the main topics of Speed Week that you think should be highlighted here?
Well, there's a bunch of stuff about machine learning and doing it fast on our network, how we do machine learning, how you can do machine learning on our network.
There's stuff about how we use the incredible scale of our network to know when there's bad Internet weather and route around it.
We have a system called Orpheus, which has been running for a long time that actually routes around problems on the Internet at large.
There's a new product called Observatory, which is how you figure out why your website is slow and what you should do about it.
A bunch of protocol stuff, a bunch of stuff about real user measurements, how we should think about that.
Streaming, lots of stuff about streaming.
Migrating off of other CDNs, doing that fast. A lot of measurements about how we measure ourselves against the competition and how we make sure we're the fastest.
In different products, right? Yes. Zero trust, CDN, all those kinds of things.
We re-architected our purge. Our purge has a really cool architecture, which is fully distributed across our entire network.
Rather than there being some central location where a purge starts when you're trying to purge something, now it can start anywhere in the network and spreads out.
That's actually really built on our Cloudflare Workers technology. Related to latency, right?
Latency in terms of- It's very low latency. Yes. Also, one of the reasons it's really cool is if you, let's suppose you're an EU customer, most of your users are in the EU and you do a purge, what will happen is it spreads out over the network.
That purge will have occurred extremely fast, like tens of milliseconds in Europe, and then it will spread out across.
You get this incredible benefit of being located and purging perhaps where it matters most to you.
New stuff around Brotli, which is a compression protocol, which we've supported for a long time, but we're turning it all the way up to 11.
That's the maximum compression level, really speeding things up.
Lots of stuff actually about speeding up web stuff as well.
What measurements you should be using and technologies you can use on our network.
A great story about the Eurovision Song Contest, which as you know, I am the world's greatest fan, or at least number two, where we helped protect and scale the voting this time around.
Yes, tons and tons of stuff.
Look for it next week. I helped a little bit on that blog post. You did.
I wrote a blog post about Eurovision last year in general, and in this case is how they are our customers, and we helped in the voting process also.
A lot of things.
Actually, there's a blog post, not a new one, but I think it shows a little bit of why performance and faster Internet is important, but also, and I want to highlight this, how latency sometimes is more relevant possibly than bandwidth for the user.
The typical user, the bandwidth of your platform is really important. It depends what you're doing.
I certainly remember the days when bandwidth was so bad that I had to wait for an image to load like this on the page.
At some point, you want more and more bandwidth because you're doing more and more things on the Internet.
I'm never going to say more bandwidth isn't good, but there is a diminishing return thing goes on, which is at some point, you probably have enough bandwidth to do the things you want to do, like we're doing a Zoom call together right now.
Maybe you're watching a movie in very high definition. That's great, but some things are very latency sensitive, and some things are very jitter sensitive.
Latency will really matter if you're doing online gaming.
You're playing Fortnite online, and you don't want any lagginess, and that will really be latency sensitive.
Yeah, this blog post is really saying that you shouldn't just look at bandwidth.
You should look at latency as well because that really matters.
We've written about this a few times.
Our speed test tool will actually test your network and show you the different parameters and give you an idea of if there's a problem on your network, is it not going to be so great for video calling, for example, or is it not going to be so great for gaming?
Bandwidth is just one of these. Actually, in SpeedWeek, we have a couple of blog posts which are about measuring the right thing.
It's interesting. There's an interesting analogy with home Internet, which is like people talk about bandwidth, but they also need to talk about latency.
People often talk about time to first byte for web stuff, but actually, there are other measurements, particularly largest content for paint, which is actually really interesting, which actually in some way reflects better what the end user is seeing.
Yeah, lots of speed coming up. Lots of speed coming up, different types of speed.
This week, we have a fun fact that is related to WarGames. It was on 1983 that WarGames was launched, a movie you...
It's important to you, right? Well, I mean, I love this film, and I don't know how many times I've seen it.
I definitely saw it in the cinema in 1983, and I've seen it on TV and all those kinds of things over and over again.
I think it's a great, great story. Of course, we get some of the terminology of hacking, for example, war dialing, war driving.
They all come from WarGames because David Lightman here, played by Matthew Broderick, was trying out phone numbers one after another, war dialing to try find something, and accidentally logged into the Whopper, which is the big computer in this place they refer to as the Crystal Palace.
So, yes, I love this film. It's great.
And I love it so much, actually. If I just look over in my office here, I have right here, this is...
Oh, wait, just for it to be shown. Yeah. You see this? This is my copy of the WarGames novelization, which I loved so much.
So I even wrote my name in the front of it to make sure nobody took it from me.
So this is based on the screenplay.
And I put, I don't know if you can see this, a plastic cover on the book.
I bought a cover. Slips on, it's not glued on, I didn't want to damage the book.
So I've owned this since, well, let's see, what does it say in here? I think this probably came out in 83 as well.
I wrote my name in it twice. Yes, it came out in 1983.
And this book enables me to be the most boring person at parties because there is a big difference between, you're going to love this story, there's a big difference between the book and the film, which is when David Lightman manages to get into the Whopper.
You'll remember that he doesn't know how to log in. And he's suggested to him that there might be a backdoor password.
And by doing a lot of research, he and his partner in crime here, figure out that the professor, Professor Falcon, had a child called Joshua, who died when he was young.
So they figured that the Joshua might be the password.
And in the film, the password is Joshua.
Now, why am I boring at parties? It's not Joshua in the book. Oh, it's harder than that.
It's Joshua five. And why is it five? Because the child died when he was five years old.
Oh, they had to try a little harder in the book. So anyway, you see, I'm fun at parties.
And I think if I remember correctly, the voice of Whopper is an English voice, right?
It's a well, the professor is English. Professor Falcon, I think, is played by an English.
John Wood. Yeah. And Ali Shidi plays David's partner in crime in all of this.
I mean, I love it so much. It's great.
I'm not sure if I've read this book that many times, but it was one of those things that it was essential to buy at the time.
So thanks, David and Jennifer Mack, for being the yeah, the great inspiration.
Exactly. And I think this is really, it shows a little bit of the Internet, the geekiness of the Internet, how they started and all that, that a movie of sci fi movie can influence like names can influence all sorts of things related to the Internet.
Of course, the Internet was like, starting to be a little bit more relevant at a time.
But well, there's no Internet in this movie, right?
They're literally dialing up, they're using, he uses an acoustic coupler to dial up.
And eventually, you know, all trying to steal a video game, right?
He's trying to steal a video game from a company called Protovision in Sunnyvale, California.
And he ends up dialing into the Whopper. Exactly.
And, but again, the influence is there, like, because there were a lot of people building things related to the Internet at that time.
It was on the news, the Internet was not on the news at that time was not a relevant thing.
Computing, yes, personal computers were starting, but like the Internet was a thing.
So it's quite interesting to see the impact it had so many years after.
Oh, yeah. And we still refer to it as war dialing, war driving, war, whatever.
So yeah, thanks, War Games.
And I think that's a wrap. We already done a good speed week teaser. So everyone don't forget to check our blog posts, announcements, deep dives, metrics next week on callflare.com and blog .callflare.com.
Great. Nice to see you as well.
Thanks for talking about War Games. We'll do a 30 minutes War Games where I bore people with War Games facts.
We could do it this summer when the blog is more slow, we can do a special one.
All right. See you. See you. Bye-bye. That's a wrap. Before we go, it's time for our Around the Net short segment.
This week we're going to travel to London in the UK.
Here's from Mark Steigen from our product experience team, and he's doing an amazing walking challenge that also involves giving money to charity.
Right.
So I'm Mark. I've been with Clamflare for eight years now. It was my anniversary last month.
I'm in London. I live in Greenwich, just outside London. I've been working from home since the pandemic.
And I currently work for the design systems team.
So doing the front end code for that. I actually really love the work I'm doing at the moment.
I've been saying to people, two things I like doing is I like making things.
I like making things better. So working the Cloudflare dashboard.
We had a major project that kicked off about six years ago where we completely rewrote the dashboard with different technologies.
And we made some mistakes and some gaps in it there.
So one of the things we're actually doing is making improvements around that and just providing a better experience for our users and for other engineers at Cloudflare as well.
So it's work I find very satisfying.
So originally I'm from a small town just like Edinburgh in Scotland.
And I love Edinburgh. It's my favorite city in the whole world. I live in London now.
I turned 50 this year and I want to do something to mark the occasion because my father died when he was 50.
So I want to do something for charity to raise some money.
So I want to see if I can walk 50,000 steps a day for 50 days because my dad was 50 when he died.
I'm 52. So I'm actually just about a quarter of the way through that now.
So I started the week before last. I only told people about it last week just to make sure I wasn't going to fall down the first hurdle.
So I gave myself some time to actually make sure. The first week is quite difficult, but I feel like I've built up some tolerance now to all the walking.
And yeah, I feel quite confident that I'm going to do it now, which is good.
Why is that charity in particular is important? It's charity that offers support to children in particular.
I've lost a parent and one of both parents. And obviously having been through something similar to that myself, I understand how important it can be for children to actually receive that sort of emotional support.
I think people or society is much better about helping children out these days.
But obviously it's very easy when something that happens, particularly, you know, there's so much going on.
It's easy for children's feelings to fall through the cracks.
So yeah, I hope it can help children to difficult time in their lives. Any advice to people who want to walk a lot like you are doing?
Don't do as much as I've been doing, or at least ease into it.
I should have built up more, but other things going on.
And the reason why I actually had this in mind is I started walking a lot during the pandemic, working from home.
I tried to make sure that I go for a walk before starting work in the middle of the day during lunch and after work as well, just to get some structure to the day and make sure that I'm not just rolling out of bed onto my desk or just going straight from my desk to the couch or something.
Actually just like I said, bringing some structure into it. And I actually found myself pushing myself quite a bit then.
It's during one month of the pandemic, I actually averaged 44,000 steps a day, which is why I was fairly sure that I could actually manage this as well.
And that's kind of where the idea came from. Definitely build up to do it gradually.
I walk quite a bit anyway, so it's like 20 ,000 steps a day wouldn't be unusual for me.
But doing 50 without being able to take a break, doing it day after day, it's been quite hard.
Any suggestion or advice of someone who is doing 50?
I think everybody approaches it differently. I think the most important thing is just to have fun with it.
I know a lot of people worry about turning 50 or view it as a turning point in life, but ultimately it's just another day and it's what you make of it.
So basically have some fun. One thing I'd like to say, if you don't mind, is just to say thank you to everybody who's actually contributed to the charity and the GoFundMe.
I haven't actually been in contact with the charity yet.
I'm actually going to write them a letter or an email just explaining what it is I'm doing and a bit more about why as well.
So I hope to get a response from them as well.
Just something I can share with people at some point and just hopefully say that the contributions have actually done some good.