Cloudflare TV

This Week in Net: Security Week special edition

Presented by João Tomé, John Graham-Cumming, Mia Wang, Michael Tremante
Originally aired on 

Welcome to our weekly review of stories from our blog and other sources, covering a range of topics from product announcements, tools and features to disruptions on the Internet. João Tomé is joined by our CTO, John Graham-Cumming.

In this week's program, we go over some of the announcements we’ve made during Cloudflare's Security Week. We had several tools that leverage machine learning and many improvements to our Zero Trust product, making it more accessible and enterprise-ready. We go over phishing and fraud protection, security management, and trends you should know about.

At the end, we have in our new “Around NET” short segment, contributions from Michael Tremante (based in London — from the Applications Security team) and Mia Wang (based in New Jersey — from our Special Projects team and working on our Workers Launchpad Funding Program .

For more, don’t miss the Security Week Hub .


Transcript (Beta)

<v João Tomé> Hello and welcome to This Week in Net everyone. It's the March 17th, 2023 edition, a special edition related to our Security Week.

Full of announcements in terms of Machine Learning, Zero Trust, there's a lot.

I'm [inaudible], based in Lisbon, and with me I have, as usual, our CEO, John Graham-Cumming.

Hello John, how are you?

<v John Graham-Cumming> Hello, good afternoon.

From Lisbon, too. <v João Tomé> Exactly.

The weather is a little bit better today. Yeah, yeah. <v John Graham-Cumming> Yeah.

Last time we did this, the weather was, it was cold and rainy. And now. Yeah. Looking out the window.

We've got some, this is what was promised when I came to Lisbon.

So here you go. <v João Tomé> Better.

Although I got into some rainy hour driving my motorcycle to the office yesterday, we had a developers' day at the office where developers were at the office.

That was interesting. And I got a lot of rain going into the office to that. <v John Graham-Cumming> Well, hope you'll dry out today.

<v João Tomé> Exactly.

So, a lot to discuss. So, first, we have this Innovation Week. This is the second one of the year already, before we had CIO Week.

So Security Week first, why do we have Security Week?

It's not the first one. We usually have Security Week. And why this one is different from others.

<v John Graham-Cumming> Well.

So first of all, we do these Innovation Weeks where we package up a bunch of announcements about products, about features, about technologies.

As you said, we had CIO Week, we had Developer wWeek before, we had Privacy Week, we had GA Week, we and so on.

So we will you can be guaranteed when we start doing one of our weeks that there's going to be a bunch of announcements about our products.

And so, you know, today it's, well, this week it's Security Week.

We're actually coming to the end of it now.

And why security? Well, I mean, a lot of what Cloudflare sells is security, right?

Know, if you think about Cloudflare, think about Cloudflare As providing four major themes, right?

Which is performance, security, privacy and availability. And so, you know, here we are in one of those, which is the security side of things.

And so there's a bunch of announcements.

And actually, as you said, I think one of the themes for this week is kind of machine learning.

There's just a lot of machine learning happening in on Cloudflare network and with with the vast amount of, you know, security data we see collectively protecting our customers.

And so you see that throughout some of the announcements this week.

<v João Tomé> Exactly.

And there's a lot of in terms machine learning is like a very broad term for different tools that we have.

I was counting and I think it's like 34 new tools and integrations with different capabilities that we announced this week.

And there's a wrap up blog post also coming up that people can browse on Monday.

Yeah, on Monday. Yeah. Yeah. So but why not start with the first blog post we had in the beginning of the week, that wAS focused on the in general on brand safety and those who are trying to impersonate brands in phishing attacks because email is one of the main ways that hackers use to to find vulnerabilities and enter in systems.

Right? <v John Graham-Cumming> Well, I mean, we've all experienced this, right?

You've you've received an email pretending to be your bank or pretending to be Amazon or pretending to be a delivery service or you've received a text message saying, "Hey, there's a package waiting for you.

You know, you need to click on this link." And the link looks vaguely like a real company.

You know, it'd be like, you know, they're impersonating DHL or something and it'll seem to have DHL in the URL and you think, "Okay, well it must be real." So that kind of that kind of brand impersonation is actually a pretty big problem, especially from a phishing perspective.

And you're absolutely right.

One of our one of our first announcements this week was about, you know, staying safe and also about which brands got impersonated.

So, you know, because we see so much information about domain names through our DNS Resolver

We're able to take a look at actual domain names that are being used for phishing attacks against people, be they phishing through email or phishing through an SMS called Smishing.

I think sometimes, which is kind of a difficult thing to say, the different type of way.

Yeah, we listed out, I think like the top 50. Two brands that we've seen impersonated is quite interesting.

So AT&T, you see the URL, they're like, not a genuine AT&T domain name, but hard toto tell.

Look at number two, PayPal people, you know, trying to get into Microsoft and so on.

And so you see this kind of thing happening all the time. And what we're doing in this with this product announcement is helping protect brands.

And users against this kind of, you know, brand impersonation.

By you know, people who are trying to probably steal passwords or get you to pay a fee for something you shouldn't have to pay a fee for.

I mean, one of the classic ones is the, you know, I think early high up the list, there was DHL.

You know, people are saying "You've got a package waiting, you need to pay a $20 customs fee" or, you know, something like that.

This is all all pure, pure scams. <v João Tomé> Exactly.

And we can see also different types of of domains or in this case, companies that are being impersonated like Swiss Post.

So this in Sweden or East Japan Railway or things very focused on banks like Chase Bank, things like that.

Banks, yeah.

In Brazil also, so different countries some are focused in specifically.

<v John Graham-Cumming> Postal services are actually a pretty popular one, postal and delivery services.

It's a way of getting people to pay money for things they shouldn't be paying for.

And then obviously banks, you know, breaking into banks to try and get, you know, steal your money directly.

So yeah, we see lots of lots of stuff like that happening.

<v João Tomé> So yeah, exactly.

And in this case, we're adding the Zero Trust force in the sense, to tocombat this, right?

<v John Graham-Cumming> Yes.

That's right. You know, we're adding this into our into our product suite.

And, you know, we're we're automatically dealing with, you know, anti-phishing within the product suite.

So. Yep, that was one of our first things. And you know, learning from the data on our network about what's being, you know.

What's happening in terms of, you know, phishing and then using that to protect our Zero Trust customers so that their employees don't get phished on their, you know, when they're using their company connections.

<v João Tomé> Exactly.

In a way, is it something for you not to think about. Zero Trust is there, but it's really important when you click on the wrong link, when you have the behavior that sometimes even you know that it's not the correct one, right?

<v John Graham-Cumming> It's hard to tell, right?

Because, you know, companies themselves use lots of different domain names and then, you know, attackers are able to manipulate you by saying, "Well, no, you have to click on this thing or whatever." So, you know, I think it's, um, I think it's one of those things where attackers are doing their best to fool us in order to, you know, at a weak moment, you might be expecting a package and you get a thing saying your package is waiting.

You need to pay this €5 fee to, you know, things like that.

<v João Tomé> Yeah, we also have an advice blog post, very high level blog post on how to avoid being phished in a sense, being the target of those attacks.

Also on Monday, we also have had a some announcements in terms of customers that use Page Shield, right?

Cloudflare's client-side security solution .

<v John Graham-Cumming> Yes, yes.

So this is this is one of these really big problems, right? Which is that it's very, very common.

I mean, I think almost every website does this, they include particularly JavaScript from third-party sources because where it might be fundamental to the layout of the page, or it might be to add some functionality like translation or a chat box, or it might be, you know, actually how the page is constructed with something like React or Bootstrap or something.

I mean, these are things that are included in the page that are coming from third-party locations, usually from a popular JavaScript repository, CDNJS or one of the other ones.

But lots of things get included. But this has been a vector for attacks against companies, because if the bad actor can compromise or change the thing that's being added to the Web page, then they can affect the Web page.

And there's been famous, famous examples of this, something called Magecart.

Um, you know, certainly I was affected by the fact that British Airways got hacked and I was a British Airways customer in this way.

Lots of people affected by this problem. And so how do you deal with this?

And what we're adding in Page Shield here is called Positive.

It's basically a positive security model, which is to say only these scripts are allowed to be included in the page.

And I think that, um, you know, that greatly reduces the attack surface because then the owner of the page can decide what gets, you know, gets included.

But it adds third parties will block things that are not in their 'allow' list of stuff.

And we also help them figure this out because one of the difficulties people have is that they don't actually know all the things they're including.

And so because of the way Page Shield uses CSP content security policy to monitor what's actually being included, we can show the website owner, you need to have these things and then they can then click on it and say, okay, then I will only allow those things.

And therefore, if something gets compromised, what typically happens is an extra script gets added and Page Shield will prevent it from running and prevent the attack.

<v João Tomé> Yeah.

It's a good way to again to have safety in place without being too much worried about that in a sense.

<v John Graham-Cumming> Well it's just, it's just such a very difficult thing for people to actually get a handle on.

To be actually able to monitor it and then say, "Okay, we'll only allow these things," then, you know, it was.

You know, it's a very powerful, very powerful technique.

<v João Tomé> Exactly.

I'm showing right now for those who are hearing this in the podcast format, our page that puts all of the blog posts together in a very easy way to find them so anyone can can browse through them.

Um, another thing that we announced this week, I think on Tuesday already, it was related to migration from Zscaler to Cloudflare One in terms of making that experience more easy, frictionless in a sense.

Do you want to go a little bit in terms of there? We also have a lot of tools related to Zero Trust.

New tools, integrations, things like that, right?

<v John Graham-Cumming> Yeah, well, I mean, Zero Trust is a huge part of what Cloudflare does, right?

So you'll see these different things.

I mean, the other announcement here, I mean, there's this Aegis thing which is using dedicated IP addresses.

So one of the issues that companies moving to Zero Trust may have is that any reasonable sized company has got quite a complicated environment of integrations and one very common technique to provide security, albeit not great security, but security to a certain extent was to have certain services that allowed connections from dedicated IP addresses and, in the end, the Zero Trust model says, you know, it's actually about authenticating the end user.

It's not about the network they come from.

And so IP addresses don't necessarily really make sense within the context of Zero Trust, but you have to meet people where they are, right?

And so companies are making these transitions.

And so what Aegis does is it allows you to have dedicated IPS from Cloudflare for the connections from Cloudflare to your services to make it easier to go through the journey of moving from an old way of doing things to the Zero Trust way of doing things.

So it's really part of like, how do you how do you actually make the transition to a Zero Trust world?

And you can't, no company can do it in one big bang.

There's just too many services, there's too many things that are connected.

And so this allows you to maintain what you may have had in the past, which was dedicated IP addresses.

As you go through the transition and eventually, hopefully you get rid of the dedicated IPs and you're using authentication, which ensures that the, you know, the user or the services are allowed to connect to that particular backend system.

But I think this is great. This is just all part of the the whole process of how do you move to to Zero Trust.

<v João Tomé> And so you can maintain a few things that you had before to make it easier, in a sense, in that process.

So, yeah, there's a lot here in this blog post for those who want to explore.

<v John Graham-Cumming> Yeah, he explains it all.

He explains all about the history of why people use dedicated IPs and the Zero Trust model and how these things work together.

<v João Tomé> Exactly.

And there's this famous, I think, expression now shields up. Even the US government is using and it's really being safe and prepared for for all of those things that are around.

On Tuesday, we also had our State of Application Security in 2023 Report in a sense, with a lot of interesting data in terms of security, in terms of what type of attacks are out there.

Right? <v John Graham-Cumming> Yeah.

So this is you know, as you know very well, we have a thing called Cloudflare Radar, which is a product Radar, you can go to, where you can go visit and get insights into what's happening on the Internet today and in the last few days, the last few weeks, lots of detail where you can dig down into different areas.

And one thing we've done here is in this report, we look at Application Security.

So, what's happening at the sort of HTTP level and things like that?

And you know, to give you some context, I mean, Cloudflare handles something like 45 million HTTP requests per second.

And so we're able to dig into that and look at the security and what's happening.

And I think this first thing is kind of interesting, which is that, um, it's kind of a good news thing, right?

Which is that the percentage of traffic which is actually being blocked or handled because it's bad and we use the term mitigated for that, has actually, you know it's dropped to 6% from where it was so and actually has declined across the, across the year, across the last year, which is kind of interesting.

And I think what what this says to me is that as we are using the Internet for more and more stuff, we're kind of drowning out the bad stuff now.

It doesn't mean it's going away.

It just means that a proportionally, we're doing more good stuff than bad stuff than than we were before.

Right? Because the bad stuff was up there and the sort of 8% kind of level.

Um, unfortunately, the flip side of that is.

Given that we are using the Internet more and more, even though the percentage wise has declined, there is still a tremendous amount of bad stuff happening.

So, you know, it's it's out there. And what is the part of that bad stuff?

DDoS attacks. Um, you know, they seem to have gone into a lull a few years ago and they're really back with a vengeance in terms of size, in terms of techniques.

You know, we had an absolutely massive DDoS attack at the HTTP level, which happened in February.

And I think that this what this is really saying is that DDoS, which in some ways is easy, it's kind of the vandalism of, you know, Internet attacks is nevertheless a really big deal.

And people need DDoS mitigation of some sort, which is one of the reasons why I think why we years ago threw it in for you know, made it unlimited as part of our products.

<v João Tomé> Um, there's actually one thing about the mitigations request chart that I find interesting.

It starts in March 2022 until now and it's decreasing. But if you remember, we did the Ukraine, one year of war in Ukraine blog post and mitigations were like through the roof in Ukraine but also in some countries at that time.

So I wonder if there's a relation also maybe to that. <v John Graham-Cumming> Maybe maybe next year we'll be looking at how there was a resurgence with one year of the Ukraine war.

Absolutely. But anyway, as you can see, DDoS is really, really big.

And then it's the WAF. The WAF is blocking actual patterns of attacks.

And so I think, you know, that's obviously a huge part of what we do is figure out, you know, particular types of attacks.

And actually we talked about machine learning at the beginning.

And one of the things we announced was the machine learning a little while ago, which is actually out there finding zero days, finding unknown attacks automatically using machine learning.

So. <v João Tomé> A lot of things to to explore here.

Also in terms of those types of applications that are more attacked.

We also have some information there, right?

<v John Graham-Cumming> Yeah, there's a bit there's some information about the types of things I think the as we go down, I mean like bot traffic, you know, there's a lot of bots out there.

I thought it's interesting that Microsoft Exchange has been attacked a lot, presumably because people are trying to break into corporations, over time.

So yeah, worth taking a look at that.

If you're interested in insights into what's happening in terms of application security.

<v João Tomé> Where to go next?

We had also a few more announcements also in the Zero Trust front.

<v John Graham-Cumming> Well, let's talk about the Silicon Valley Bank thing, because I actually thought that was really interesting.

<v João Tomé> It is, and it's very up to date.

So it's something that is happening right now. Yeah.

<v John Graham-Cumming> So, I mean, if you if you go back to, you know, it's being going on for over a week now.

Silicon Valley Bank got into trouble, essentially collapsed, got taken over by the FDIC in the US.

Came back to life on Monday morning, basically under the under the auspices of the US government.

And after there was a bank run. And I think the thing that's interesting is whenever something happens like this, whenever there's any sort of high profile event, good or bad, um, you know, bad actors will take advantage.

They'll figure out how to take advantage of it.

Back at the beginning of COVID, when people were being forced to work from home, we saw loads of phishing because bad actors realized that people were being asked to log into their companies in weird ways and so they could trick them to get passwords and stuff like that.

Well, what's happened with Silicon Valley Bank is that people moved money out of the bank because of the run or they wanted to and they didn't.

The bank is back to life. And now what the attackers are now doing is they're sending out phishing emails pretending to be SVP and it's a really great picture of one here.

This is a real email that was sent to the CEO of Cloudflare.

Um, it looks like it's from Silicon Valley Bank.

It's, um, it is a DocuSign. It looks like it's DocuSign.

So it's like a sort of thing you might be familiar with signing a document online and it's saying that they need to do the know your customer, the KYC stuff again.

And this could be kind of plausible that banks have been taken over by the government.

There's probably all sorts of checking going on and, you know, legal things happening.

But in fact, this is a phishing email. This is trying to steal banking details, presumably to extract money from the bank.

So, you know, this stuff happens.

And actually, if you look at the timeline, it's kind of interesting.

They only spent a couple of hours sending out emails.

It was like a very boom, hit as many people as they can.

And then we have a lot of details about what it actually does. But it actually it isn't DocuSign.

It ends up, you know, ends up taking to a place asking you for your banking details.

So whenever there's something happens, phishing, people will, you know, do what they can to trick people into giving up passwords or banking details or paying them money, all sorts of things.

So anyway, this this blog post, then you wrote a blog post to kind of go alongside this kind of stuff about what to do about phishing, right?

How to keep yourself safe. And I thought that was pretty good advice in it about, you know, how how to think about phishing and how to keep yourself safe, which is a lot of which is don't click on links.

And don't click on links that tell you you need to do something urgently.

You know, if your bank writes to you and says, you know.

<v João Tomé> Hackers are seeing the news.

They are seeing the news and they know if something will preoccupy some most people.

<v John Graham-Cumming> Yeah.

This is this is your. ..

What was your top tip from this? <v João Tomé> My top tip?

Don't click on links, I think.

<v John Graham-Cumming> Don't click on links on the internet.

<v João Tomé> Yeah, but I think there's a good one that is also related to something that was recently on Twitter because Twitter took out the two factor SMS free of charge.

Now it's only for blue subscribers, but I think that highlights the importance not only of two factor but two factor not using an SMS, but using a hardware key.

So I think that was actually something you you asked me to mention that.

Yeah. <v John Graham-Cumming> Hardware keys.

They are, you know, they saved Cloudflare during the octopus phishing stuff last year and, you know, using them as your second factor if you can.

And one of the things about hardware security keys is I think a lot of people are, um, they kind of find them odd to work with them.

You have to have this key with you that you have to plug in to your laptop in order to log into something.

But we all have keys for our homes, which, you know, nobody finds that weird.

Like I actually think the use, the use of hardware keys is actually pretty simple.

Once you've done it a few times, like, Oh yes, I need my key to log into this thing and you plug it in and you do it and they do really, really, really work.

<v João Tomé> They're very small.

You can include them on your keyring or you can include them in all sorts of places and have more than one possibly.

<v Speaker3> Yeah, absolutely.

<v João Tomé> More things from this week.

So, Wednesday was the machine learning day in a sense.

We had a bunch of blog posts that highlight thehow we use machine learning for all sorts of things.

Do you want to highlight some of those things?

<v John Graham-Cumming> Well, yeah, there's a lot there's a lot of machine learning things.

So, I mean, we announced fraud detection, which is going to use machine learning.

And that's a product that's under development right now to do automated fraud detection.

We announced a bunch of stuff to do with API endpoints and that was a really interesting announcement.

So a huge percentage of internet traffic is APIs and.

Companies want to protect those APIs because APIs have a real structure to them.

There's things you can do to, if you know the structure, to know if a if an API request is genuine or not.

If you look at the schema and there's things like that, but actually figuring out what is an API and what's not.

Weirdly for a company can be difficult because they have many, many APIs.

So we've applied a machine learning technique to that.

So we will automatically discover the API endpoints a customer has and we can also build the schema as well.

So this makes it very, very easy to, you know, to discover and protect an API.

So that's another use of machine learning on the API side.

And if you go back, I think to the list of announcements, you'll find there is more machine learning.

So the next one, which is API abuse using sequence analysis. So this is also really interesting, which is that an app or a website, when it's calling an API will typically call the API in a certain manner.

So like, for example, if you log into your bank on on the app, there will be a login.

Then they'll probably it'll say give me a list of accounts and then those accounts will get displayed to you and maybe there'll be an API call to do get, you know, some other thing like the latest ad they should show you in the app or something.

There are sequences that happen very, very commonly and then as you click around, "Oh, I'm going to do a transfer," okay.

And then there will be API calls, right?

We can learn those those sequences and therefore we can spot anomalous sequences, which is an attacker trying to do something nefarious with the with the API.

Like, you know, you might, you might not do five transfers in a row. That would be weird.

So we might be able to spot that. So we're going to do that for APIs using sequence analysis where we'll show you what the what the sequences are, which will allow you maybe not necessarily to block a weird sequence, but maybe you challenge it, or maybe it goes into the WAF or other things.

So that's another machine learning thing.

And then if we flip back to the to your list again. The next one is <v Speaker3> malicious domains.

<v John Graham-Cumming> So, you know, we can what we're doing here is there are some domains that are specifically used for malicious purposes.

So there's a couple of things that are done.

One is to exfiltrate data or to do command and control. So if the only way to get in and out of a company is using something called DNS tunneling, where actually the domain name being used or part of the name is actually a command or data that's being extracted.

So that's called DNS tunneling. And then there's domain generation algorithms which malware uses to get around blocking.

They will come up with new domains maybe every hour, maybe every day or something like that.

And again, using machine learning, we can detect these these bad domain names.

And interestingly, we're actually using some techniques which are underlying the big LLMs, the large language models like Chatgpt, because here you're fundamentally looking at language and words, and so we've actually built a big model which allows us to do that.

It allows us to spot the difference between a genuine domain name and something which actually a piece of malware is generating.

So again, another piece of machine learning, lots of machine learning this week.

<v João Tomé> Exactly.

And again, machine learning is part of AI. We had actually this discussion in terms of AI being a name, but machine learning when it's machine related is machine learning the right way to call it?

So makes sense to call it still.

<v John Graham-Cumming> Yeah, and the one right there, the WAF attack score.

That's the attack score, again, a thing generated by machine learning which goes into the WAF.

And then now it's available to our business customers as well.

So we're trying to, as we always do, democratize access to all of these technologies.

So, customers on the Business Plan using the WAF will be able to get access to the WAF attack score and they can use that to make a decision about whether to allow a request or not.

<v João Tomé> Exactly.

So a lot of machine learning there. We also had on Cloudflare radar our newest free tool, URL scanner.

Also useful for all sorts of things, even security wise, it is useful.

<v Speaker3> Yeah, well, I mean, just to go back <v John Graham-Cumming> to that, you know, phishing at the beginning, if you get a weird link and you're not sure it's a good link or not, you know, one of the things you can do is you can type it in to the radar URL scanner, and we will tell you what we think about the link.

And so in particular, we might we might be able to tell you if it's phishing, if it's already been classified as phishing, we might we can show you the page in a safe way.

We can show you information about how the page was built.

And so I think, you know, this is a useful tool for doing analysis on a domain without you ever having to touch the domain yourself.

So why don't we do one? Let's see if we can do one live while we're here.

That's not a very interesting one.

Let's think of some other interesting URL. <v Speaker3> We know Google.

<v João Tomé> There's some recent scans.

You want to choose one of these recent scans? <v John Graham-Cumming> Yeah, we should.

So for example, someone's typed in a Bitly link there. So it would actually tell them what that Bitly link goes to, right?

So it'll go in and it'll say, you know this, this has been blocked, so this was a bad link.

So there you go, you see.

So that was saying that someone was saying this was a bad link. And so, you know, you shouldn't click on it.

And what's nice about this, this uses Cloudflare's Remote Browser Isolation technology.

So we actually, it will look at the URL for you in a safe environment and then give you information about it.

So that means you never have to on your own machine end up, you know, touching something that could potentially be a harmful link.

<v João Tomé> Exactly.

You can see the links that are inside the whole thing. Yeah. <v Speaker3> Yeah, yeah.

<v John Graham-Cumming> That's another free tool from Radar.

Radar is growing and growing and growing, if you haven't checked it out.

radar.cloudflare. com. Tons of useful stuff there. <v Speaker3> True.

<v João Tomé> We, yesterday, we had a post-quantum day in a few announcements.

You should go into that.

<v John Graham-Cumming> Yes.

So I think one of the things that's super interesting is this top blog post here, which is Post-quantum crypto should be free.

So, you know, the summary is quantum computers are coming.

We don't know the exact date, but they will threaten the encryption we have today.

So we need to upgrade to use encryption which is protected against quantum computers.

In order to do that, there are algorithms that have now been standardized.

Cloudflare has been very involved in that process. And so what we're saying is that we are committing to including <v Speaker3> post-quantum <v John Graham-Cumming> crypto in everything we do going forward.

And the reason we're doing this is that there are some people in the industry who would like to make this an added extra, where you have to pay more.

And we think that's a terrible mistake. We think that security ought to be included, and we don't see any good reason to say, you know, we'll just stick with the old algorithms when there are free and open source implementations of the post-quantum crypto algorithms.

And so we're committing that whatever plan you're on with Cloudflare, you will have post-quantum cryptography included as part of it.

It's not going to be a paid extra and that means pretty much everything, right?

So connections to Cloudflare connections from Cloudflare connections inside Cloudflare, Cloudflare Tunnel, Warp, etc.

All of these things will be post-quantum ready so that when quantum computers do become reality, all of these connections are already protected.

<v João Tomé> And that is more important than I think most people realize, because quantum computers will definitely change things when they will.

Although they will. It won't be right away, but even from the past, they can browse through the past in terms of.

<v Speaker3> Well, that's one of the problems, right.

<v John Graham-Cumming> Which is if there is an adversary like a major intelligence agency somewhere who is recording Internet traffic today, once they get a quantum computer, they will be able to go back and break that encryption.

And so that's actually why we need to do it now is to protect against a future threat both of breaking things that are actively, active connections, but also breaking things that might have been recorded in the past.

<v João Tomé> Exactly.

There's also a blog post related to that that explains why AI did not break post-quantum cryptography.

<v Speaker3> Well, yeah, because there was this there was this strange <v John Graham-Cumming> news report that an AI had cracked post-quantum cryptography.

And so it was like, well, no.

And so this is actually a very detailed blog post.

So Bas and a couple of guest authors have really dug into the situation.

And no, we are not, there's not a problem, the post-quantum algorithm, Kyber is perfectly safe to use.

And you know, we can continue to roll it out without without being worried about things.

But it's one of those funny things, right? Because it's like it hits all of the buzzwords at the moment, which is like there's AI and there's post-quantum and you know, you know what's happening here, but it's worth a read.

You don't necessarily have to read the whole blog post because maybe it gets a little bit too technical, but it's about a basically a side channel.

A side channel is a way in which something cryptographic leaks information, not necessarily directly from the algorithm itself.

The algorithm itself is safe, but you might be able to tell information from the power consumption of the machine.

If you're doing very sensitive measurements, for example, you might be able to tell when the machine is dealing with a one or a zero.

And the side channels are a problem in general in cryptography.

And that's what this particular AI beats post-quantum is all about.

So worth a read if you're interested in those two areas. <v João Tomé> Before we go, I think we should also mention Cloudflare's channel partner award winners of 2022.

It's out and it's all about our partners.

So that's also a good mention for people. <v Speaker3> Yeah, we have a huge, huge slate of <v John Graham-Cumming> worldwide of channel partners who work with our customers directly selling, installing, maintaining and upgrading Cloudflare services to them.

And the Partners team puts together an awards about the particular partners we work with.

And so this is just to recognize those partners who've been a part of making Cloudflare successful because they really understand extremely well their customers and can help recommend Cloudflare products to their customers and then help their customers actually actually run them.

So yeah, that's the partner awards.

We do this annually and you know, if you if you're interested in a Cloudflare partner you'd like to work with in a particular area, this is one list of partners you might might want to know about.

<v João Tomé> So there's a lot from different regions, so you can browse.

<v Speaker3> All over the world, <v John Graham-Cumming> Cloudflare is all over the world.

<v João Tomé> Exactly.

Also, a few things. IBM Cloud works now with Cloudflare to help clients modernize and deliver secured cloud infrastructure.

And today when we're recording, is not still live, but it will be shortly.

We also have a blog post.

Let me see if I can find it related to, DMARC Management.

Stop impersonations with Cloudflare DMARC Management.

Yes. What can we say about it? <v Speaker3> So, um.

<v John Graham-Cumming> So Cloudflare has a actually a source piece of code for helping with automation of DMARC management.

DMARC is a technology used for protecting email, making it possible for you to know if an email is genuine or not.

And in particular, again, back to the brand impersonation side of things.

You get an email that says it's from Nike, but it's not actually from Nike, for example.

We built a product that does this DMARC management that helps automate this.

It helps you understand what you how you need to configure DMARC because it can be a little bit tricky.

And also what's happening in terms of emails that might be getting blocked or allowed.

And the product is there and the product is, is launching.

But what I think is interesting in here, first of all, there's a description of the mark and how it works and its relationship to, to other email standards, SPF and DKIM, which basically wraps them up together.

But the fun thing is we built this entire product on Cloudflare Workers and the nice thing is that we were able, because we can handle email in Cloudflare Workers because we have a database, because we have storage or object storage, we're able to build the entire product on our developer platform and we're seeing more and more of this at Cloudflare.

Just the other week we launched our Mastodon implementation, Wildebeest, that's also built entirely on Cloudflare Workers.

So if you're interested in DMARC or if you're interested in real things that got built on Cloudflare Workers it's here and the code itself is being open sourced.

<v João Tomé> We also have a blog post on how we built DMARC management using Cloudflare Workers.

<v John Graham-Cumming> Yep.

There it is. That will come out today and it gives you all the details on how how it was built using our our own platform.

<v João Tomé> Exactly.

So a lot of tools, Zero Trust, machine learning to help in this case. A lot of tools this week.

Any final thoughts you want to share? <v John Graham-Cumming> Well, I mean, I'm looking forward to the other innovation weeks that are coming up.

So, you know, stay with us for more Innovation Weeks because there's aa lot of exciting stuff.

I think we've done quite a lot of announcements this week about machine learning.

I think you're going to see a whole bunch more that are slightly even more AI related coming up soon.

So stay with us. <v João Tomé> Exactly.

A lot to discover and and browse and test. <v Speaker3> João, thank you.

<v João Tomé> Thank you.

Bye bye. Last but not least, a big shout out to all the Cloudflare teams around the world that help put Security Week together.

It was a week full of machine learning models, new tools for customers.

So a lot of innovation put together and this was a big effort throughout the company.

So thank you so much for your hard work.

Before we go, we have again this week, two short videos in a segment we're calling Around Net.

And first, we'll have Michael Tremante. He's based in London.

He's director of product focused on application security. After Michael, there will be Mia Wang.

She's from our special projects team. She's a strategy director and she's based in New Jersey.

See you next week. <v Michael Tremante> Hello, everyone.

Michael Tremnte here from the product management team working on application security.

A little bit about me. I was born in Basingstoke, UK, but when I was three years old, as my dad is Italian, I actually moved back to Italy and grew up in Olbia, Sardinia.

This week for Cloudflare Security Week, one of our innovation weeks, I wrote and helped out with two blog posts.

First one is Positive blocking with Page Shield, locking down your JavaScript.

Very important. I've built a lot of websites in my time.

I'm sure anyone, if you have built a website, you've definitely used third-party JavaScript libraries.

Very easy to to build more powerful applications that way.

But sometimes the code we embed is not necessarily safe.

With Page Shield positive blocking, we can actually lock it down and ensure only vetted libraries get loaded.

So that's very important for our end user data.

Second blog post I helped with was an update on application security trendS this year.

We actually wrote the first one at Security Week 2022, and I'm still in awe every time I look at the traffic stats on the Cloudflare platform, how much traffic is proxying through Cloudflare.

And, of course, we want to share and be transparent about all the things we see.

So please head over, read the blog. Very interesting insights on where attacks are coming from.

What are the most common attack vectors?

What's happening with account takeover, brute force attacks?

How much of the web traffic is automated versus human?

So please go read it. Really interesting stuff.

One little fun fact about me. When I was growing up, as many kids, I used to play a little bit too much computer games, too many computer games.

One of my favorite was Counter-Strike: Source.

And you cannot believe how excited I was when my mother bought me a book entitled CSS.

Little did I know when I opened it, it wasn't about Counter-Strike Source, it was about cascading style sheets.

A little sad on the moment, but that's actually how I got into computer science.

So the rest is history. I will end up with, close off with one my one of my favorite books.

Back when I was learning about programing and computer science.

I actually have it here with me. Programming Pearls. Coincidentally, I was learning Perl programing language back then.

There are examples which are very applicable to Perl book.

Little Old was even a little old when I read it, but really gave me some good insights on algorithms and how to code code Well, and Pearl, as many of you know, it's probably still keeping the Internet glued together even today.

With that, have a good day. Hope to see you soon.

Bye bye. <v Mia Wang> Hi, I'm Mia Wang, director of strategy and M&A on Cloudflare Special Projects Team.

I also had the honor of leading the Workers Launchpad funding program, which is a $2 billion program to help support startups building on Cloudflare developer platform.

And we announced this program back in November of 2022, and last week we had our very first demo day where more than 15 companies building on our developer platform showcased what they were building to investors, to potential customers, potentially future colleagues and employees.

And it was it was a real special event that we were doing for the first time.

We had Matthew Prince, our co-founder and CEO opening, and then myself and Jade Wang, who runs our startup program, help moderate and host the event.

Um, it was a really special kind of moment in our work with developers and supporting startups, so you can learn more on Cloudflare website.

I'll also mention that applications for the second cohort are now live, and so we'll be selecting the next group of, next class of companies in the coming weeks.

So head over to and look for the Workers Launchpad funding program if you want to learn more.

And so just to share a little bit more about me, I guess in terms of the most interesting thing I'm working on, you know, the launchpad has to be, has to be that it's a mix of sort of an accelerator program where we offer Founders bootcamp and we host sessions on how to think about, you know, recruiting, how to think about building a sales organization, pricing business models, as well as fireside chats with leaders from Cloudflare such as our SVP of Infrastructure, Nitin Rao.

Our SVP of Emerging Tech & Incubation, Dane Knecht, and then also deep dives on various Cloudflare products.

So that's been an incredible amount of fun to work on. Uh, and then also share, I'll end with maybe a fun fact.

Um, for those of you who are animal lovers, I have two standard poodles.

Uh, they are practically my children.

They're a lot of fun, super active, and, you know, keep me getting outside.

And should've mentioned at the beginning, I am based out in New Jersey and so it's been kind of cold and snowy out here.

And so it's been it's been good to get out with the dogs.

And so, again, if you want to learn more about the Workers Launchpad, head over to Cloudflare website and you can feel free to reach out to Workers Launchpad at if you have any questions and our team can help answer them.


Thumbnail image for video "This Week in Net"

This Week in Net
Tune in for weekly updates on the latest news at Cloudflare and across the Internet. Check back regularly for updates. Also available as an audio podcast!
Watch more episodes