Data Protection everywhere, application security, and an iPhone exploit to avoid

Hello, everyone, and welcome to This Week in Net. It's the September the 8th, 2023 edition. We're back already in September with a few blog posts to go over, including about data protection. I'm João Tomé, based in Lisbon, and with me I have, as usual, our CTO, John Graham-Cumming. Hello, John, how are you? Hello, I'm fine, thank you. We did a bit of a stop, a summer stop, and we're back now, so a lot of blog posts to go over, and there's a rainy Lisbon now expecting us. It is a bit rainy, yeah, although I saw the weather forecast, it looked like it might warm up again, so I'm hoping for that. Me too, still summer here, at least, so let's hope the good weather comes back again. You have a specific jacket, a very specific jacket on you, right? I just thought I'd put this on, although I think it might be a little bit warm for today. This is the Cloudflare Inventor jacket, I don't know if you can see that, it says Inventor on it, and it's people who've had patents approved at Cloudflare get one of these as a gift, so I thought I'd put it on today, but I actually think I might take it off in a minute before I start getting too hot, so we'll see how long I can go with it. Let's see how it plays out. Cloudflare has a lot of patents, actually, I have that in my pipeline for one of these next possible segments for us to discuss more in detail, but Cloudflare has a lot of patents, and you have your name in the few, right? I think so, yes, I mean, obviously, there's lots of people, and to be honest with you, I'd have to go back and look at how many there are, in fact, but yeah, lots of people in Cloudflare coming up with lots of very interesting ideas. It's part of the innovation part of the company, too, right? I mean, it's part of protecting our special algorithms and things like that, and it's also part of a sort of defensive strategy, because, of course, lots of other companies use patents as well, and so we have to protect ourselves against somebody else patenting something that we are doing, so it's part of what we do, and I think there's some pretty cool things we've come up with. Let's go over that in a few weeks, possibly. We had a bunch of blog posts while we were out, an applications report, a lot of things, but one of the most recent, actually, it's related to Cloudflare 1 for data protection, so our unified suite to protect data everywhere across web, SaaS, and private applications. What is this all about? Why don't we bring it up on the screen so we can all see what it looks like? Yeah, absolutely. I mean, I think, first of all, data protection sounds like something exceedingly boring. True, and more and more is needed in most countries, because regulation is just around the corner. For example, there's a GDPR in Europe, and, of course, GDPR is about data protection, but there are others. I mean, the number of countries, I couldn't even list how many countries are introducing laws or have laws about data protection, and I think this is very much the future of things that are on the Internet is taking into account these laws, and our data protection suite really unifies everything we have in all of our products around Zero Trust, email, SaaS, all this kind of stuff, and so that the data that's in there can be protected, and, in particular, be protected against theft. To a certain extent, protected from employees misusing it with AI tools, because that's a worry right now, and protecting the proliferation of that data in cloud environments. I mean, it's just the amount of data that gets moved around, and so this is just announcing the Cloud Platform Data Protection Suite, and I think that this will be a very big deal for companies that work across countries, across regions, because they're having to deal with a vast number of different laws, and also worry about how they keep their data safe, and also how they comply, and so I think this is a big part of that, and, in particular, I mean, one of the worries is that, you know, if you have a breach of some sort, then you are going to have to report that in all sorts of countries and all sorts of states around the world, so first of all, keeping your data safe, and if you do have a problem, knowing what to do is all part of the game. Exactly. Exactly. There's a bunch of references here in terms of regulation, but also in terms of companies use different providers of cloud for different purposes. So many. So many. So many. Yeah. Exactly. So, having an integrated perspective on what all of those situations have is important in a sense, right? Yes, absolutely right. Absolutely right. So, I mean, I think that we will, you know, we'll see, for me, the future of the Internet is actually about data protection and privacy going forward, and so I think that, you know, products like this are very, very important. We have a few use cases in this blog post, so for people to visualize a bit on what some of the challenges, modern challenges, could be related to this topic. So, I think it's worth exploring. May that be the regulations that we were discussing, data exposure, visibility, and also those AI tools that are now being used generally, and there's some risks there too, right? Yes. Yes. Yes, absolutely. Absolutely. The blog post is pretty much complete in terms of giving the larger scope of things that companies should worry about and what this data protection unified structure gives them. Yep. Yep. And there's also the how to get started, always important for people to understand. Yeah. Yeah. Exactly. Also related to CloudFlow 1 for data protection, we have what's next for this data protection suite because things are evolving and we're also discussing on what are the capabilities we're also thinking for next, right? Absolutely. Absolutely. So, you know, lots of stuff coming. I mean, if you think about that Zero Trust, SASE, WebGateway, CASB, all that stuff solution is growing and growing and growing. We're innovating very fast there. There's some details here in this specific blog post in terms of capabilities, even those that were shipped since 2022 Q4. For those who are in this area, sometimes there's a lot of different names, a lot of different things. The main thing, the main takeaway is how to be safe and have some ease of mind without thinking too much on the different providers, different perspectives, right? Yes. Yes. I mean, this is an area where there's a lot of change and a lot to learn. And so, yeah, hopefully our blog posts and our websites, the Zero Trust roadmap, etc. really help explain what all this stuff means and how we can help. One of the things that is mentioned here in the next 30 days, we'll introduce a risk score based on user behavior and activities that have been detected across Cloudflare 1 services. This also takes leverage of our global network, right? Absolutely. I mean, so much stuff at Cloudflare takes advantage of our global network, right? We have this large network which allows us to detect attacks, novel attacks, apply machine learning to it, look at traffic patterns, look at where performance is bad. All this stuff benefits from having such a large network. Exactly. We have a few more things from the past couple of weeks that we weren't here to discuss. Where should we go next? We have Cloudflare Radar's overview of new tools or insights. You did that one, right? Cloudflare Radar's 2023 overview of new tools and insights. Why don't you tell us about that? Sure. In a nutshell, it's all about our tool that is like a newspaper of insights of the Internet for people to browse. We have discussed that in our segment here on This Week in Net for a few times, actually. And this year, so far, we have launched different things, which are some of those are really interesting. Internet quality section. We already talked about that, where people can take a look on bandwidth and latency by continent, by country, by ESN. They have here, for example, a world map where they can see the different perspectives. For example, we can see Portugal is well placed for download speed or loaded latency, always important, which countries are well placed here on connection quality. So there's a lot to explore, for example, in Internet quality. That was one of the major ones. But there's also trending domains. We discussed that here. That's new, this part, where what's trending today, what's trending this week. And more URL scanner tool, where people can browse through some of the websites, try to see what type of technology they use. Are they malicious or not? Things like that. And, of course, the routing section, which is more recent, actually, from late July. And it gives all about BGP route leaks, hijacks, things that are important for the Internet and for those who work in network, for example. So there's a lot of exploration here in terms of new additions to Cloudflare Radar, what you can do with these new sections. So that's mostly it. We also have some general Internet insights from 2023, like the one year of war in Ukraine back from February. We could see cyber attacks. We could see how the Internet was resilient in Ukraine during this more than one year now, or specific ISPs outages, or Eastern and Passover Ramadan Internet trends. So our global network, as we were discussing before, gives us a very complete perspective, including how the coronation of King Charles III affected Internet traffic. So there's a lot here to unpack, in a sense, as an overview of what we've been discussing on Radar, including our reports, application, DDoS, Internet disruptions reports. So this is mostly a sum up so far of the year. Yeah. Thank you for writing it. It gives us quite a sum up. It was slightly sobering when you said a year of the war in Ukraine was in February, and of course now we're in September. I mean, unfortunately, I guess we're going to end up doing two years of the war in Ukraine, the way things are going. So it'll be quite shocking. So, yeah. True. And that actually has some startling perspectives on Ukraine, and startling perspectives on Ukraine was on the news this week for other reasons, actually all the reasons, but it was on the news this week. Yes. And we also have this new capability in terms of exploration, which is a data picker, always relevant for people to browse. One of my favorite new features. It's quite an amazing feature, because for me, it allows you to go back in time, which is quite important. You can go back in time, like if you want to know what happened during a specific event, you can pick that week and have a look and say, wait a minute, what happened in that particular time, in a particular country? Actually, you made me think, why don't we do this live? The Pope was in Lisbon for a week, wasn't he? It was. In August. Early August. I think the beginning of August, right? It was that first week in August. Was there a Pope effect? It looks like it, actually. At August, Saturday the 5th, clearly the traffic was higher than usual. I think he'd left at that point, right? No, no. The event ended on Sunday, August the 6th, so he was still here. Okay. So everyone was Instagramming their pictures of the Pope or looking for information about the events or whatever at that point. He was in Fatima that day, actually. Maybe we can attribute that to the presence. Maybe, maybe. Yeah, always interesting to go back in time and see events, for sure. That's Cloudflare Radar for you, but we also had different aspects, like Cloudflare's tenant platform in action, Meter deploys DNS filtering at scale, for example. Should we go over there? Go on, then. Let's do it. This is one of those third parties talking about a company that uses Meter, uses the Cloudflare tenant API, which allows you to set up DNS filtering. Meter itself is an infrastructure company for Internet stuff, and it's just a blog post about how you can use our API, how a third party can use our API to set up DNS filtering for their customers. An interesting example of a customer using it and using it for their world. In this case, it's a customer related to the Internet infrastructure provider, and it's leveraging the tenant API integration, like you were saying, for DNS filtering. Yeah, so they do it for businesses and also shared workplaces, offices, stuff like that, and so they want to be able to configure the filtering for those locations, and they're using our tenant API to do that. And they can specifically block what they need to block, like enforce acceptable Internet use policies. There are security risks in some of those, so it gives them that ability, in a sense. It does. And I am now officially too hot in this jacket, which would be great for a cooler location. So the jacket's coming off. We're going to get down to some serious business now. Don't forget your microphone. I'll get my microphone. We're doing it live right now. Okay, ready? The next one is start your favorite websites in the dashboard. For anyone who's got a lot of websites, domains on Cloudflare, you could end up with a long list of them, and so this is just, hey, favorites. I mean, just like starring things in any other tool you have out there. A simple little feature, but one of those ones for people who have a lot of domains and websites, they can go in and star them. So mark your favorites and get to them more quickly when you're working in the dashboard. True, and it's one of those little things. I think this was requested by customers, and they really enjoyed it. I could see some feedback in terms of Cloudflare community and on Twitter that it's one of those little things that makes a difference for people that uses a lot of domains. Well, yeah, I mean, if you have a lot of domains, this is little productivity things that really can help. Make sure. We also have an application security report from late August. We didn't win over it before. A lot of trends relates to Q2 at 2023. So we're doing this quarterly, right? So this is now, I think, the third time we've done application security. So application security is looking at like HTTP level, like what's happening with people trying to connect to applications, what are bots doing, what are APIs doing, and stuff like that. So you just sort of see the trends that are happening. And it changed. This graph is interesting, right? So we talk about mitigated requests. That's an HTTP request that comes to Cloudflare, and we do something to it because we think it's bad. So it could be we just block it. It could be that we use one of our turnstile things to check to see if it's a bot. So this is what mitigated is. It could be the WAF blocked it or something like that. So you see the sort of- Or DDoS also. DDoS attacks. At the HTTP level. Yes. Yes. That's right. And so you see this kind of something like 6% of things get mitigated. And of that, about three quarters are outright blocked. So it depends. But of course, it depends on what the customer configures. And actually, if you look at this next section, customer configured rules are now the biggest contributor to a mitigated traffic. So what's interesting is we provide a WAF, DDoS, and all that kind of stuff. But customers are writing their own because we've provided this very rich language for writing rules. And now it's showing that that's become the overwhelming majority of requests being mitigated by customer rules. And WAF managed rules mitigation reached as much as 1.5 billion a day during the quarter, which is a lot. Yeah, that's right. There's also the DDoS mitigation like we were discussing, always popular and important also. Yeah, there's a lot here to unpack and even to understand in terms of what are the types of sources that are used. And also geolocation blocks, right? This is something that is increasing in a sense. Yes, unfortunately, this is a thing that happens. We see this stuff across the world, people deciding to block particular locations. I mean, you certainly see it in terms of GDPR. You would have experienced this, no doubt. You sometimes try and read a US publication, and the US publication just says, you're from Europe, we don't deal with you. True. Newspapers do that a lot. Newspapers do it quite a lot, yes. And more recently, threads from Instagram because of other purposes, like they are not available in Europe. And apparently, there were people using VPNs and they blocked that, for example. And also, old CSV, so vulnerabilities. Yes. I mean, one of the things about Internet security is that there's a lot of focus on the sort of exciting, new, scary. And in fact, yesterday, I mean, Apple basically put out a 16.6.1, right, iOS release because of a very serious security vulnerability where someone could send you an iMessage, which you didn't even need to click on, and it could get control of your phone. And there's a lot of focus on that kind of thing, and I hope people have upgraded. But on the other hand, when you think about what's actually happening on the Internet in general, a lot of old stuff is going around, like SQL injection and trying to do directory traversals and find files, trying to insert files into a system and then execute them. I mean, all this stuff carries on continuously, which is why people need WAFs and things like that. CSVs are also here 1%. And we had a blog post actually recently in August related to that here. It is mentioned in terms of how the CISOs, the U.S. security organization agency, they put out the exploited vulnerabilities of 2022. And we go over those top vulnerabilities. Log4j. Who can forget Log4j just before Christmas? True. That was a popular, not in a good sense, 1%. Unpopular in my opinion because we were running around fixing it. Yes, that was the thing. And of course, scanning for Log4j vulnerabilities will be here forever. It will never go away because people will look for systems that are vulnerable forever and ever and ever. Exactly. Atlassian also present in Microsoft Exchange 2, for example. There's a few there. But bot traffic insights also mentioned here. A lot of the Internet is automated. So that's also here present. On average, more than 10% of non-verified bot traffic is mitigated, which is actually more than normal HTTP traffic, right? Yes, that's right. There's a lot to explore here for those who like this type of thing. Also, API traffic. APIs are more relevant than ever. And we can see here, why is that in a sense? Yes, I think the thing is APIs are what's running the Internet in terms of applications. So naturally, hackers are going to go after them. And now it's 65%. It's coming from browsers. Like the Cloudflare dashboard, there's a front-end talking to an API on the back-end. So no surprises here. There's a lot of this traffic and the bots are going after them. Exactly. HTTP anomalies are the most common attack vector on API endpoints. And of course, SQL injection is the next one. So good perspectives in terms of having a... It gives us actually a perspective on the Internet. Of the 2023 Internet, right? Yes, it does. And we're going to continue to put these out quarterly. So you'll be able to get a sense for what is happening in application security. But there'll be exciting new things. And there'll be a lot of things that have been around forever. Exactly. We still have time to go over some of the things we missed in the past two weeks. Introducing the 2023 Internets. Internets. Yes, exactly. So these are the class of around 40 interns we had this summer. And they, in a sense, it explains what they were doing, in a sense. What they learned. It's quite interesting to see how much they can do at Cloudflare. Yeah, I think that's a good point. I mean, I think... So I think that the... The thing that's interesting here is if you're interested in interning at Cloudflare, read this because you will get a sense for what people actually do. And what I would say is our interns build and ship actual things. And there were recent blog posts written by interns about the stuff they ship during their internship. And this doesn't just apply in engineering as well. But also you see it in product management. You also see it in other departments where people actually do real work. So I would say that if you want to get a good experience at Cloudflare with an internship, we can really give it to you. And so this particular blog post gives you a good sense for what people have been doing and what their internship experience was like. Exactly. And you can sign up here if you want to learn more about being an intern at Cloudflare. I also wrote an August reading list about online security and 2023 attacks landscape edition. It goes over all of our blog posts from the year in terms of... War in Ukraine, again, mentioned. In terms of security and attacks and all that. A lot to impact too. Yeah. That was a good reading list. And this was already disclosed. And there was also Elevate Load Balancing with Private IPs and Cloudflare Tunnels, a secure path to efficient traffic distribution. This was already today, Friday. Yeah, that's right. That was just the other day. So lots of interesting stuff to read about if you're looking for things. And lots more coming, right? Because September is Cloudflare's birthday month and birthday week, which is the OG Innovation Week at Cloudflare. It's towards the end of the month, around September 27th. And so there will be a lot of interesting announcements around then. Expect lots more of the things Cloudflare does. So looking forward to that week. And we'll have a very busy this week in net. Probably actually have to do a double edition or something that week. A full hour, possibly. Yeah, it's always busy that week. It starts this year on September 25th, I believe, because of the calendar perspective. It's on Monday, September 25th. Yeah, it will be a busy week for sure. So stay tuned for that for sure. Before we go, I also have a small curiosity here related to the fact that Google was officially founded 25 years ago. It was on September the 4th, 1998. And what we have here, in a sense, is something that is on Cloudflare radar. It's related to our domains ranking. We already talked a bit about that. We have this top 100 domains. And in this case, you could see worldwide, Google's number one. And Google APIs is number two. And G -Static. And G-Static. And Google Video. DoubleClick, which is also Google. It is ads from Google, true. A lot of things related to Google. And I took a look, and there's 80% of locations where Google.com is number one in our list. And if we consider Google APIs just Google APIs, it's like 87%. So it's pretty much a very worldwide perspective. On the negative side, not negative, but we could see also where Google is not number one, is places where Facebook is number one. Like Cook Island, Faroe Islands, or Myanmar, French Polynesia, or Sudan, or Syria, or Chad. Or, in this case, QQ in China. Or Microsoft.com in Fiji or Nauru. And TikTok CDN, this is their domain for CDN. In Afghanistan, Ethiopia, Iraq, Libya, Somalia. So there's a few other countries definitely where Google is not number one. That also tells us something, in a sense. Yes. You know, it's interesting, obviously in China, because Google isn't present in China. And Tencent with QQ is there. QQ does, if you don't know, it does instant messaging and has a sort of web portal. A bit like Yahoo back in the day. News and all this kind of stuff, and search. It's interesting to see that. It's interesting to see in some of the smaller locations that things like Facebook and TikTok are so popular. Which, you know, obviously people are using those apps a great deal. And I guess everybody in the Comoros is just chatting on WhatsApp, which is great. True. And on Facebook, there's reports, especially in Africa and some countries, Facebook is like the Internet for them. They mostly use Facebook. And this also gives us that perspective a bit. So that's interesting. So that's it for this week. So see you next week, John. I will see you next week, and hopefully it'll be sunny in Lisbon. Hopefully it'll be sunny in Lisbon. And we're back to normal behavior. So, all right. See you, Charles. See you. Bye-bye. Bye -bye.