This Week in Net From Web Summit (Lisbon, Portugal)
This week John Graham-Cumming and João Tomé were at Web Summit 2022, in Lisbon, Portugal. Tune in for highlights from the event — as well as a teaser of our forthcoming interview with TED founder, Chris Anderson. And we also go over the blog posts of the week, from an Internet vulnerability to trends related to the Brazilian Presidential Elections.
Don't miss these blog posts, which are featured in the episode:
- How the Brazilian Presidential elections affected Internet traffic
- Cloudflare is not affected by the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786
If you're a developer and you're building something on our platform, we want to hear from you. Check out how to reach us at the end of this segment.
Hello everyone and welcome to Lisbon, Portugal and to our This Week in Net program.
This is the November 4th, 2022 edition. We're at Web Summit, the big technology event that is happening here in Lisbon with more than 70,000 participants and first we will discuss some highlights, me and John Graham-Cumming will discuss some highlights and next we'll have a teaser with Chris Anderson, the TED founder, the Project TED founder and then we're going to Zoom just to discuss some of the highlights we had in our blog this week.
Tune in. John, what do you think of the event so far?
Well, I mean, the big thing is, I did one panel yesterday and I'm doing another one this afternoon.
But the big thing is, I mean, it's 70,000 people this year, way more than last year.
So it's back after COVID completely. I think that's the thing that's really exciting.
And I've been just struck by the amount of energy there is here this year.
Like last year there was, but this year it's really back.
Yeah, it's really busy. It's a big event. They call it like a music festival for technology innovation, but also marketing.
There's a bunch of different areas here.
There's a lot of discussion. There's a lot of collaboration in an event like this.
Do you still see value in people getting around from different areas in a big event like this?
Oh yeah, yeah, definitely. And I think that we as humans are hardwired actually to see other humans in person.
And it's really great to meet people and also to have the serendipity of random things.
One of the things that's happened here is loads of people contact me saying, we're actually building our application, our service on Cloudflare Workers.
I'd like to meet you.
And that really is a huge validation of what we're doing. So if you're to see them and just drop by and say, what are you building?
That's great. And it's hard to do via Zoom, that sort of thing.
And you got a lot of feedback from our customers usually.
So are you surprised in some of these events when someone comes up to you and just says something in terms of giving feedback?
Well, I'm not surprised because it's happened before.
But I mean, it's very gratifying to hear people use the thing that you've helped build and that it's really giving them value.
So yeah, it's great. And it's great to see the number of people who are using Cloudflare and also meet them in person.
And actually, you get a different kind of interaction than if it's a Zoom call that's been set for 15 minutes or something.
For sure. And a lot of amazing speakers like John Graham Cumming, CEO from Cloudflare here at the event, for sure.
We're going to edit that bit out, right?
Sure, we will. But there's a lot of speakers from different areas here.
And I interviewed a bunch of them for Cloudflare TV already, from Chris Anderson, known for the TED amazing ideas for sharing project, to people like the CEO of Binance.
There's buzzing in terms of people getting a sense of knowledge in those terms.
In terms of all of these speakers together in one place, do you see value in getting back to this type of situation?
Well, I think one of the things that Web Summit does really well is the app.
So Web Summit has a dedicated app and all of your information is in there and you can contact people.
So you can end up having quick conversations through the app, which you wouldn't normally have because they don't have your phone number or email is too slow.
And that enables you to meet these folks and makes a really big difference to be able to get them through the app.
So I like that aspect of it because then you can end up having a conversation with someone that you wouldn't necessarily have met.
And you can contact directly people, not using LinkedIn, but...
Through the Web Summit app.
Yeah. And I interviewed and talked with Patti Cosgrave, the Web Summit founder and CEO.
And one of the things she thinks is this offline event, which is important still.
So it's powered by cloud, by intranet. So AI, machine learning, getting people together in a more easy way in a very confusing event, because this is like 70,000 people.
It's really difficult to find people. And sometimes using the app, I'm here and just connecting is quite important.
So the intranet is playing a role also in offline event.
But where is it not playing a role at this point in life?
I mean, it's absolutely everywhere. So no surprises here. No surprises here. I've been asking in some of the interviews I've done here where this broad question that could be made, to your point, to anyone, like a clinical psychologist everyone knows in the UK can give us a very interesting perspective on how the intranet impacts the mind and how can we deal with that.
Or it could be anyone, which is really interesting.
So the intranet is impacting everyone. But I'm always asking this, where do you see the intranet as an industry going?
And why not ask you?
It's a very broad question, but... Well, so the intranet itself isn't an industry, right?
The intranet itself is this collaboration of all these different networks and countries and individuals.
It's the basis, right? But it's become the fabric on which everything else is being built from a digital experience.
And so that's just going to continue.
I think if you look at the history of the intranet, obviously there was getting it all running, getting it all connected, the incredible growth around the world.
Then there was a period where I think really security started getting built into it, which it wasn't there before, right?
So we had SSL suddenly invented.
We could do banking online, stuff like that. And obviously we continue in building security into the intranet.
I actually think the next year, five years, it's going to be all about privacy, individual privacy on the intranet, how apps and websites deal with privacy as governments around the world legislate their citizens' privacy.
That's really interesting because I heard a lot about that in my interviews I did here.
And one of the things I noticed is this, it's good to test things.
It's good to try out new methods. But legislation and privacy isn't going anywhere.
And you must be aware when you build something, an app or a service, you must be ready for that.
And we have a bunch of products ready for that.
Even the data protection in terms of making your data inside your country or your region, right?
Well, I think the thing is, it's just the case that in every country, there's some sort of privacy legislation either in place or being created.
And it's going to affect people in countries and in regions differently.
And so that means if you're building something that you want to be all over the Internet, then you need to take into account those laws.
And those laws are changing and are complex.
And so actually, what you want to do is have it built into whatever you're building on top of.
And that's why Cloudflare introduced data localization suite and all the products around controlling where data is stored, where it's processed, where it's decrypted, all those kind of things.
Because you really don't want to have to deal with it yourself.
You want to be able to say, oh, I have a user in Germany.
OK, this is how that user gets dealt with. And let the platform worry about the laws that need to be complied with.
Laws or attacks, right?
DDoS attacks are also a big thing. Well, of course, attacks are a never -ending problem, yes.
But in some ways, the attacks are simpler than the privacy question.
Because the privacy question is per country, per region, per industry, and needs to be thought about.
Whereas the attacks, well, they're coming from everywhere.
And so that's sort of the same old story. It's just there's more of them. They're different sorts of attacks.
They get different types of sophistication. So you need some protection layer.
And that's fundamentally what we do. That's true. And to your point in terms of privacy, one of the things I've been noticing in some of the people I've been talking, some, for example, even this morning, I was talking with someone from Bing Century that does all the whiskeys and all things in the US.
And so this was like a more of advertiser perspective.
And she was worried because they pull out of Twitter because there's a lot of changes on Twitter right now.
But she really loves Twitter.
And she wants to advertise on Twitter. But she wants to learn about safety in terms of my brand is here.
So those aspects, may that be advertisers or regulators, are playing a bigger role in the Internet for the future for sure, right?
Well, sure. I mean, obviously, Twitter, there's a lot of concern or people running around like headless chickens right now because Elon Musk has taken it private.
And changing things quickly, right? I guess. I mean, I think people are reacting to the fact that someone new is in charge.
And he's been extremely successful in business.
And presumably, he's not doing this just for the hell of it.
He's actually going to sort out, hopefully, sort out Twitter's business model.
And there'll be changes there. It's interesting because one of the interesting questions is, will he actually be successful in making this company very profitable?
In a different area. Yeah, dealing with all the challenges. And I would imagine that getting those advertisers to come back if they're leaving is just going to be an important part of building that platform.
Sure. And he has to be worried like for privacy, for regulation, for these types of things for them to come.
And this morning, this was someone that believes a lot in Elon Musk and thinks he will probably do amazing things on Twitter.
She just wants to see when things are a little bit more calm.
So she said like, now it's like better and we have a lot of better products.
And I want to see like the finished version. Well, I mean, it's been a week, right?
That's right. You've got to believe that Elon Musk understands regulation around the world.
He has a company which is making rockets, which are heavily regulated.
We're making cars, which is heavily regulated.
Another one providing Internet access from the sky, which is heavily regulated.
So believe me, he understands the challenges around this kind of stuff. So it's going to take a little while to settle down.
He's the new owner and he's going to sort through things.
But I'm very hopeful that Twitter comes out of this and is considered to be successful because I get huge value out of Twitter.
Me too, me too.
Just to wrap things up, in terms of these type of events, you see the value of it continuing and be bigger and bigger.
Next year, I think we have now at Web Summit 70,000 people.
Next year, they announced that will be 100,000 people. That's a lot of people.
Where do you see these events going in terms of collaboration?
Yeah, I mean, I think it's great that there's many people here, right?
And I think that you're bringing together... The nice thing about Web Summit is it's a very, very high quality event.
And it's high quality across all sorts of different domains, right?
So you're getting together people who you wouldn't see necessarily elsewhere.
And I think it's great to have those people come here.
It's great that they're in Lisbon, which I think is a great place to come, especially this time of year where other places might be particularly chilly.
And so I think it's fantastic.
And I think getting people together in person really does matter because you get those random serendipitous conversations that are a huge creator of innovation.
For sure. And just wrap things up now, really. We are in Lisbon and we work in Lisbon because we work at the Lisbon Cloudflare office.
So Lisbon is also a big part already for Cloudflare in terms of...
Actually, I want to say Portugal is because we also have staff in Porto as well, right?
So it's not just all specifically in Lisbon.
I think with COVID, we expanded out. We're in other parts of Portugal.
We have most of our people in Lisbon and around. More than 200.
More than 200, about 210 people. So we're expanding in Portugal for sure. This is the fastest growing office Cloudflare has anywhere in the world.
So if you want to work at Cloudflare in Portugal, you can apply and see all our positions.
So that's a wrap.
Thank you, John. Thank you very much. So now let's hear from Chris Anderson, the head of TED, the project TED, about his ideas on the future of the Internet, but also about Elon Musk.
About that, Elon Musk now is on the news because of Twitter.
Is there any question that you would like to ask him now, right now, at this time?
You've interviewed him a bunch of times, but what do you think is the main thing he or everyone should be focused on?
Yeah, he's a remarkable man. He's controversial.
He definitely does some odd things. I think some of his tweets are ill-advised.
But when you talk with him, I've talked to him on several occasions, you discover someone who is deeply thoughtful.
And I think at heart, at heart, is genuine in his belief that he's acting on behalf of humanity.
I don't think he's a right-wing lunatic.
I don't think... I think he's going to try at least to make Twitter less crazy.
Right now, the key to getting amplified on Twitter is to be a combination of politically extreme, kind of reckless with the truth, and being willing to be quite obnoxious in the language you use.
In other words, the more you can taunt the other side, the more attention you'll get.
And those are the tweets that are getting amplified.
I guess my one question for him would be, what are you going to do to stop that?
And I think he has a plan. I wouldn't bet against him.
And usually he tries things, right? He has a plan, but he adapts a lot.
He tries things, right? Yeah, exactly. He's been impressively decisive and fast.
He's gone in there and he's operating at absolute blitzkrieg speed.
It's kind of amazing to watch. Whether he's going too fast, we'll see. But he's probably our generation's most impressive tech entrepreneur.
If you objectively stand back and look at what he's built, it is breathtaking.
And I think Twitter's as big a challenge as he's had.
It doesn't all play to his strengths. But like I said, I wouldn't bet against him.
In terms of looking at the future of the Internet, where do you see it going in general?
And where do you hope it goes, really?
Well, this is the existential question for humanity. There's a chance that it takes us into dystopia.
I spoke about this here this morning, but there's a chance that if we continue to provoke the worst in each other, we'll make it impossible to do anything else except fight and bicker.
And we could tear apart a lot of what we've built.
I'm hopeful that people realize how crazy this is, and that there are huge efforts underway to moderate the worst of this.
I think it needs new business models.
I think it needs absolute determination by the big companies and by everyone else online to try to remember what the Internet's actually good at.
The Internet is amazing at pulling people together. There are lots of beautiful things that can go viral online.
We need to double down on doing that, on making, getting past the situation where the only stuff that is viral and compelling is the dark stuff, which is what our algorithms are currently doing to us.
That's unbelievably dangerous. The first lady of Ukraine was also here at Web Summit.
She discussed the importance of the Internet, not only at the war efforts, but also in terms of apps, for example, about mental health, education.
Really important when there's big dislocation and disruption in the country, for sure.
So that's it for Web Summit. And now let's talk a bit about our blog via Zoom.
Hello, John. We were at Web Summit just now, and now we're via Zoom. So it's been a few hours since we recorded that.
But hello now via Zoom. Now let's go more into detail in terms of things we had on the blog and happen on the Internet, in a sense, this week.
One of those actually is a vulnerability, right? Kolfler was not affected by the OpenSSL vulnerabilities that happened.
Yes, that's right. So OpenSSL is a very popular piece of software, which many people won't have heard of, because it is something that is sort of hidden, embedded inside browsers and things like that.
And it is used to provide the secure connection from, say, your browser and for other uses to a web server.
And it is an open source project that's been around for many years.
And it's very widely used. Now, Kolfler wasn't affected by these vulnerabilities that came out, because we switched away from OpenSSL quite a few years ago to something called BoringSSL, because we were worried about the complexity of the code in OpenSSL.
It's a very large project. It's been around for many years, has many different features.
And we really only need a limited set of features.
And Google had created this version called BoringSSL, which really cuts it back to the minimal set of features, which makes it more manageable in terms of looking for security vulnerabilities and updating.
So we switched that a long time ago.
But OpenSSL is very, very widely used in the industry.
Now, there was a little bit of a kerfuffle around this, because the OpenSSL project announced that these vulnerabilities were critical.
And critical means, first of all, you've got to patch them immediately.
But also, if exploitation happened, it could be very serious.
And that would typically mean something like a remote code execution would be possible, i.e., I could run code on your machine, which is sort of as bad as it gets.
True. And there was very, very famously a vulnerability in OpenSSL some years ago called Heartbleed.
Heartbleed was eight years ago.
And this was critical. And it allowed people to get at unencrypted data very easily.
Which obviously is very bad for a cryptographic library.
So when they announced that there were critical vulnerabilities in OpenSSL, that caused a lot of people to be concerned.
I actually reached out to the OpenSSL developers myself to say, is there something Cloudflare needs to do to protect our customers?
Now, what actually happened was they downgraded it from critical to high because of a couple of things.
First of all, it only affects OpenSSL 3 and above.
And the reason that's significant is that the more widely used version of SSL is 1.1.1 or something around that version number.
And it isn't affected.
So it automatically a lot of people were ruled out of being affected. And second of all, it wasn't quite as severe as it seemed.
The circumstances under which it was possible to exploit this vulnerability were a little bit more complicated than say what happened with Heartbleed, which was actually relatively trivial to exploit.
So nevertheless, when these things come out, people need to go off and check, you know, have they got this version of OpenSSL in their systems and upgrade to it.
And so there was a big upgrading happening on Tuesday of this week where people were looking at what versions of OpenSSL they were using and upgrading.
As I say, Cloudflare itself wasn't affected because we don't use OpenSSL.
But some of our customers probably were affected because they use OpenSSL 3.07 or 6 or whatever.
It's 3.07, yeah. Yeah, so 3.07 is the fixed version. So, you know, it highlighted that sometimes there are critical security issues like that.
And one that's in a low -level library like this is kind of scary because you really have to go hunting for it.
It's not like you necessarily know, oh, yes, I'm definitely using OpenSSL on my systems.
So that was sort of a big... It was a little bit of a concern last week when the maintainers said there was a critical vulnerability.
In the end, it ended up being a high vulnerability, which is serious and people need to take it seriously, but not quite the Heartbleed -level panic that it looked like it might be.
Actually, we did a bunch of blog posts about Heartbleed, but one is the revisited version from last year that Nick Sullivan did.
Two years ago. Oh, yeah, last year. Yeah, you're right. Last year was, yeah. And it applies.
And it explains a bit what happened and revisits because a lot of lessons are learned from these vulnerabilities, right?
Well, I mean, the thing that was fascinating with Heartbleed was, you know, it was very simple to exploit and very simple to get private information out of systems that shouldn't have ever been able to get them.
Just like you would literally make a request and the server would happily serve up to you the contents of its memory.
And we spent... At the time we used OpenSSL, we were vulnerable.
So we had to go through and patch our systems.
And we realized that at some point, as we realized how easy it was to exploit, we actually revoked and reissued all of the SSL certificates that Cloudflare had, which was a huge, huge effort to do.
And I actually spent a really long time looking at whether it was possible to extract private keys from memory.
And I think I wrote a blog post at the time about this. And it clearly was possible to do it.
And, you know, I think as an industry, it was one of those things where, you know, coordinating information about these serious vulnerabilities, it became very obvious how important that was, which was actually one of the reasons why I reached out to the OpenSSL folks last week and said, hey, is there something that Cloudflare needs to do here to help protect the Internet at large as we're such a big part of it?
Actually, you were yesterday in a panel at Web Summit and you described something I really find it's interesting in terms of industry, but also the culture of Cloudflare, which is how the blog works.
And since the beginning, as the culture of the company is pretty much reflected on a blog, but also having once a vulnerability happens, if we are technical, if we explain why something went wrong, how to fix it, we're not only being transparent, but also helping others in the industry being better or even our customers dealing with something, even if it doesn't affect us directly, right?
Well, I mean, I think the Cloudflare blog is known to be very, very technical.
And so vulnerabilities are one aspect of that, right?
Explaining when something goes wrong, be it something Cloudflare did that was a problem or be it something that was outside of Cloudflare's control, such as vulnerability in a third -party piece of software.
So we try to give very clear explanations to these things without using the sort of panicking language, the sky is falling kind of language that sometimes you get in the security world.
And also we try to do things that are explainers where people... What I hope is that people come away from the Cloudflare blog and they feel like, wow, I learned something today.
I got educated. And that's really, as you know, I tell many of our blog authors, the purpose of our blog is to educate, educate, educate people.
So there we go. Yeah. And with that, you're not only being helpful for engineers, but also for those who really want to learn a little bit more or students, engineering students.
Well, I mean, one of the things I say to people all the time about the Cloudflare blog is that our reader is not an expert necessarily in the thing they are reading about, but they are intelligent and want to learn.
So our goal should be to help people move their knowledge forward. And so if somebody's experienced in an area, they can skip over our introductory part, hopefully.
But somebody who wants to learn about this stuff, hopefully they can because they can go through a blog post and be like, oh, yeah, wait, wait, wait.
Yes, this makes sense.
So that is a big part of what we do. And, you know, try to, as you know, too, the language we use tends to be relatively simple because we want to make it accessible to as many people as possible.
Native and non-native English speakers as well, right?
So we're trying to reach a really large audience that speaks English.
You always say that there's different types of English all over the world in a sense.
So, yeah, being ready for all of those is important. We also had a blog post related to the Brazilian presidential elections.
We did. We did.
And that was something that you put together out of Cloudflare radar data. So if people don't know, radar.Cloudflare .com is where we publish lots of information, real-time information about what's happening on the Internet.
And this particular blog post was a zoom in on Brazil because there was a Brazilian election, in particular, the two rounds of it, 2nd of October and the 30th of October.
So you had Lulu da Silva coming back and wanting to be president. And you had Jair Bolsonaro, who was currently president, trying to stay in.
And it had been pretty close.
I mean, throughout the election, right? The polls have been sort of running along like that.
And obviously, the previous president or the current president is a controversial figure.
And Lulu himself is kind of a controversial figure.
So there's always travesty going on, right? And so what you find is that... The thing I found really fascinating for what you published, and people should go read it if they want to on the Cloudflare blog, is how on the election day, particularly on the 30th, on the runoff election, people use the Internet much less than they did...
True. ...previous Sunday. That was really interesting. So people were obviously...
Yeah, maybe I want to imagine they were sitting at home debating who they should vote for, or having a big family argument about, you're going to vote for this one, because they weren't doing it on the Internet quite so much.
They weren't. And people are moving because the election in Brazil... Brazil is a big country.
Sometimes you have to really have a small trip to go to a polling station.
So there's a big shift in traffic. And the interesting thing is the time period.
You can see, especially after 11 a.m. in most of Brazil, because they have more than one time zone, you could see a drop in traffic until the polling stations close, which is like 5 p.m.
there. And then after that, it goes a little bit more up.
So it increases. It's really interesting. And we could see, because there was a runoff...
Here, this was the runoff. But there was also a first round of the election on October the 2nd.
And we could see also the drop there. So it's consistent through...
It's a consistent story. And also the other thing you showed was the increase in the use of mobile devices.
So people are obviously out and about, right?
They're not in front of it. First of all, that happens at the weekends, typically, because people use their mobiles more.
But also on the election days, you saw even more.
So people were obviously out, you know, perhaps going to vote or being outside.
And there's also some DNS data related to election domains.
And a clear increase, a normal clear increase at specific times. And it's interesting to learn that because the results for the runoff election this past Sunday were earlier than before, the traffic rose earlier.
Also the spike, the peak was earlier than before.
So there's interesting trends for people to see for sure.
Yeah, I mean, and, you know, you and I, we've looked at these things so many times.
We see this, the sort of, the imprint of humanity on the Internet in terms of what people are looking at, the flow of things.
At some point, you and I need to get around to writing a little bit about the death of Her Majesty Queen Elizabeth II, because that was really quite dramatic in terms of, because, although obviously there was a big impact in the UK and in Commonwealth countries, there was an enormous impact actually globally because of the interest in her, because of her long reign.
And so unlike this one, where she's primarily in Brazil, although I'm sure if we looked, we would have seen some impact in Portugal because of Brazilians living in Portugal.
Queen Elizabeth II death was dramatic across the world.
And so at some point we will find time to write that up. Actually, I looked into that.
We could see impact even in Brazil, for example, at the specific time of the announcement or Germany.
There's different use cases, which are really shows us that this was a global situation for sure.
And before we go for this week, one of the things we should also mention, Cloudflare presented this week, the third quarter results.
Yeah, that's right. They're out for those who want to check that out.
And also Matthew Prince, our CEO, will be in Europe next week in London starting.
In London, right? He'll be in London. Yeah, and they'd say it is a meetup.
From my understanding, you can find that on Twitter. Yeah, if anyone goes to our Twitter account, they can find the details there for that for sure.
Yep. And I have one last thing to add, which is that one of the things I really got out of Web Summit was I met a lot of people who walked up to me and said, we're betting our company or our product or our service on Cloudflare.
We're building using pages and workers and the database and all this kind of functionality.
And a lot of people come to me and said that.
And I would love to hear more stories like this. And I would love to talk to people who are using our product to build something because it's really, I mean, I'm a developer and I like to hear from other developers.
So if you want to do that, you can email me and it's dead easy.
You can just email me. My email is jgc.
That's my initials, jgc at Cloudflare.com. If you're building something with workers, I'd love to hear about it.
And feel free to email me. So that was thank you to everybody who came up to me at Web Summit and told me about something they were doing.
Yeah, and I interviewed one of the use cases of a developer that uses Cloudflare in the whole ecosystem of product, which was very interesting also.
So if someone wants to have their story in a more video format type of way, I can also help there.
That sounds great. Yep, yep. I mean, you can tell me or you can chat with Joao and do it on video.
Either way, I'd love to know about what you're up to.
So thank you, John. That's a wrap. That's right. Great. Nice to talk to you again, Joao.