This Week in Net: New pricing, annual plans and an AI ChatGPT test

Hello, and welcome to This Week in Net, our weekly review of stories we've been writing in our Cloudflare blog and things affecting the Internet. I'm João Tomé, coming to you from Lisbon, Portugal, and with me I have, as usual, our CTO, John Graham-Cumming. Hello, John. Hello, good afternoon. Or good evening. Or good evening, or good morning, or good whatever time is that. Exactly. And this week there was a big announcement from Cloudflare related to adjusting pricing that includes new annual plans to Cloudflare services. So why not start from there? Because this is really important for customers, of course. It's the first time we have changed pricing ever. So in the 12 years that Cloudflare has been around, it has been the case that we had a $20 a month plan called Pro and a $200 a month plan called Business, or Biz sometimes. And those prices have not changed. And we are now raising them. And so from January, the prices will go up. So the Pro plan becomes $25 a month and the Business plan becomes $250 a month. But if you opt to pay annually, then you effectively pay the old pricing because it locks it in at $20 a month and $200 a month, depending on the plan you're using. And if you're an existing customer, you're not affected by the price change until May rather than January. So you have time to switch over to annual plans. But these price changes are coming. And if you think about it, it's pretty amazing. If you just think about in terms of inflation over 12 years, ignoring even the recent spike in inflation, the price of Cloudflare has effectively gone down enormously. And we've added a tremendous amount of value into those plans. So you think about Universal SSL, I think about unmetered DDoS protection, all the things we've pushed into plans, including the free plan. So one of the things this blog post talks about is the fact that we still have the free plan, we still invest in it, and we still plan to add functionality to it. And so over time, these plans get more valuable because we continue to add functionality to them, whether they're the free, the now $25 a month, or the now $250 a month plan, or shortly to be. So we want to do this for one really important reason, which is that, and by the way, we hope that people sign up for the annual plan. We hope that people sign up for the annual plan and pay the cheaper price annually, because it gives us the cash early. So if you pay for an annual plan now, we have the cash, which means we can invest in the business. And all of these things that you've got on screen here, Universal SSL, DDoS mitigation, all of those things are things we need to invest in, and we need to invest in making this network bigger, and faster, and etc, etc. And so the idea here is, it's not really about, we want you to pay us more money, it's just, we want you to pay us earlier. And so if you pay us earlier, then we can use that cash early. And the blog post is interesting, because it gives you a sense of all the stuff we've added into those $20 and $200 a month plans. This chart is amazing. So many things, right? Yeah, yeah, it's crazy. So many bits of functionality. And remember that we drive things down. So for example, the WAF, which is provided in the pro plan, there's actually a free version of the WAF, which is in the free plan, which gives you protection for very critical vulnerabilities. Universal SSL is free, right? We've pushed things down into the different plans. So whatever plan you're on, over time, you get enhanced functionality out of it. And yeah. And there's a mention here about the free plan, the free plan still holds. So we're still giving a lot of protection with the free plan. But of course, new features, new innovation, costs money. And we're also subsidizing that with this increase, right? Yeah, that's right. That's right. And so you know, it's the first pricing change in 12 years. And that's, you know, here we are. And so if you're a current customer, and you want to keep paying $20 a month or $200 a month, you need to switch to annual billing, and you will keep on that price. If you do not do anything, and you're a current customer, then from May of 2023, you will start paying the new price. If you are going to sign up for Cloudflare, after January, you're going to be paying the new price, right? So it depends on if you want to lock in the pricing, you can lock it in now. So whatever you think, we hope you'll pay for an annual plan. And you know, thanks for being a customer. If you're a customer, you know, we've built this incredible service with obviously money generated from customers, but also the tremendous amount of feedback we get. And that includes from the people on the free plan, because we get a huge amount of feedback from people who don't pay us for the service. And it's super valuable. Exactly. And again, our data centers all over the world are still increasing. Our innovation is still increasing. So for that, because things are also more expensive, even for data centers and everything because of inflation, like there's this update, in a sense. Kind of amazing that it took 12 years to do an update. Well, yeah, I mean, there was, you know, it's one of those things where we are really, really focused on the value, right? We're really focused on the value we give to our customers investing in the business. And what we realized is, you know, the best way to do that now is going to continue all the things we do internally. But if we can collect the cash early, well, then we can invest more in the business. Exactly. That makes a difference for sure. Let's move on. We also announced a partnership to simplify China connectivity for corporate networks. There's this blog post about it from Kyle and Anika. Yes. So there's an earlier blog post which really talks about some of the complexities of networking in China. China's Internet developed in a way that is a little bit different from the rest of the world, partly because of competition between three major telcos in China. So China Unicom, China Mobile, and China Telecom, who don't necessarily operate together in the same way that you might see in another country where there are competing networks. And that creates some complexities in terms of how traffic actually gets around between the networks. BGP Anycast, which we use everywhere around the world, doesn't work in China. So you have to have a different networking configuration. And of course, the Chinese border has controls on it, right? The in and out across the Internet is heavily managed in China. And so you end up with it being challenging to get traffic into and out of China. And in particular, what this blog post is about is about businesses that want to use Cloudflare One, which is our SaaS platform. So this is about employees of companies getting access to their applications in and out of China. And so what we've done is we're bringing the Cloudflare One Zero Trust platform into China, using strategic partnerships, so that we can then, if a company that is operating and needs to have traffic flow into and out of mainland China for their normal everyday business, we can actually make that work. And so that's what this is about. We've operated in China for many years. And this is now bringing, we have our CDN service, we have our security services in China, and now this is bringing the Cloudflare One platform so that someone can have an office inside China, go through the partner and then get out onto the public Internet and get to the services and resources they need to get to. Exactly. And there's some challenges because of all you've mentioned, because China works in a different way in terms of the Internet, it's a different Internet in some way. So there's some innovation going on here to include Cloudflare One there, right? Yeah. There's work that's been done here with the partners so that you can have a security policy that works everywhere. So if you're traveling into and out of China, for example, on business, you can access things you need to access if you work for a company that has an office there. So it's important because there are many Chinese companies and multinational organizations that are working in and out of China and need their employees to cooperate with the applications they use, like we all do. So that's the announcement around bringing Cloudflare One to China. And of course, we also have a deep dive in terms of it's all about the Linux kernel key retention service and why you should use it in your next application. There's a lot of explanations here, but it's all about having a new type of way of building your application, right? Well, okay. So here's the interesting issue. If you go all the way back to Heartbleed, when there was a way to get memory from OpenSSL by sending in a malformed request, one of the interesting things was you got random bits of memory and in that memory, there were cryptographic keys. And that meant that eventually what happened was a whole load of SSL certificates had to get revoked. And this is a problem, right? Which is that in order to do cryptography, you need keys and you need those keys to be somewhere. And if you put them in memory, if there is a memory access violation, i .e. you can get some piece of remote software to dump memory to you, you can probably get the private key, or maybe you get the private key. And when the Heartbleed happened, we showed that you could do that. And actually, interestingly enough, the OpenSSL developers had spent time worrying about this problem and had actually kept private keys in a sort of separate part of memory, but it was essentially in the process address space. And so that meant that a bad enough memory access violation could give you the key, and it did. So what's the solution to this problem? Well, I mean, on the sort of extreme end of the solution to this problem is you keep your keys in a thing called an HSM, a hardware security module, where the keys never leave them, and your software interacts with that. And that's great. It's very, very secure. It also tends to be a little bit slow and a little bit hard to scale. So it's used for some very, very high security environments where you never want to see the key ever. But this is an alternative. So this blog post is about a thing called the Linux Kernel Key Retention Service. And basically, what this does is it provides a mechanism by which the kernel keeps the keys within its address space, and it also manages the lifecycle of those keys. So you can say, you know, there's this private key. Hang on to it, kernel, until my process exits. And when the process exits, then the kernel will clean up the key and make sure the memory is zeroed. And the other thing is that because it's in the kernel address space, if there's a memory violation in the application, you can't get the key. It's not in the same address space. And this blog post is a fairly long introduction to the Linux Kernel Key Retention Service and how it operates. There are limitations to it at the moment about what cryptographic algorithms are supported, but it is a very, very useful thing to know about, because if you are handling private keys, then giving them to the kernel and letting the kernel keep them out of process memory and also manage the lifecycle is super useful. Because it means things like, for example, if your program were to crash and didn't do a cleanup of its own memory, then it doesn't matter because the kernel will get rid of that key for you. So I think it's a super useful addition. And Ignat and Oshana have done a great job of explaining how it works and giving you example code and looking at how it operates and expect more from them. So if you want to read about a new product offering this week, you can go read about the China sassy thing, right? If you want to read about Cloudflare in general, you can read about the pricing change. And if you want a deep dive, which has got a lot code and command line stuff, well, guess what? That's what this post is about. And there's a fun worked example in here, which is actually they go in and they modify open SSH so that the keys are stored in the key retention service in the kernel, rather than being stored in memory within a side process. So yeah, well worth it if you want to understand that it is very much a deep dive. It is. And you can learn a lot about this. And it can help people protect themselves for the future for cultural vulnerability. So that's really important there, right? Yeah. Yes, absolutely. Absolutely. It's well worth understanding. And there's some code there also to dig into. And we also have a few trends. Last week, we published a early look at Thanksgiving 2022 Internet trends. With no surprise, Thanksgiving Day meant that Internet traffic went down in the United States, clearly down. I liked this because this means that not everyone's looking at their phone at the table while they're eating their Thanksgiving dinner, right? Because you can actually see that dip. So people were busy talking to each other. True. It's 30% decrease in traffic at that time, around that time when people were in the Thanksgiving dinner. So there's a few trends there. And it's also related to mobile. Mobile traffic also increased during that moment, which is interesting, of course. So they are looking at their phones, they didn't bring their desktop or laptop to the table. Is that what we're saying? That's what we're saying. They're sneaking a look at their phones, but it's less than they might have been doing otherwise. Exactly. Less Internet traffic in general, but definitely more use of mobile devices, which makes sense. They're not using as much the typical computer. And we also saw some e-commerce interest trends with a dip during Thanksgiving dinner and Thanksgiving day. So less DNS traffic to those e-commerce domains during that time. So less buying stuff while the dinner was happening. Exactly. Which makes sense, of course, but it's interesting to see. It's a real dip. And in our Twitter account, we posted some related things to Black Friday and Cyber Monday. So first, there's a general view of Cyber Monday was actually the day globally that had more traffic and also in the US. And that was true last year as well, right? Wasn't that the case? Yeah. Cyber Monday really is Cyber Monday. It is. It is. But it's not the same in every country. For example, the UK has more Black Friday Internet traffic. And that's also true for Germany or France, or even Japan, which is interesting. I also looked in Singapore and Singapore doesn't have Black Friday or Cyber Monday as the day of November with higher Internet traffic or even DNS traffic to e-commerce sites. That's the singles day. The singles day. Right. Interesting. Interesting. And it's a really big increase in traffic in Singapore for that day, which makes sense. But I think Black Friday is like the second in Singapore. It kind of makes sense for the European countries there and many others because, Thanksgiving and Black Friday are not holidays, right? So it's not quite the same situation. I have to tell you, though, that I got an email from El Corte Inglês, a big department store in Lisbon. And on November 11th, they were doing a singles day sale. So somehow El Corte Inglês, which is a Spanish shop in Portugal, had decided that a Chinese event originally was somehow something that we should be looking at. So I don't know how that worked out for them, but I was like, really? How many people know what singles day outside of Asia is? Well, I guess El Corte Inglês does. Actually, I think promotions are all always big. One of the things I've noticed also, and this is also in the UK, in Germany, in France, is how the Friday before Black Friday has a real increase in traffic. That was like November the 19th and usually has a big increase in traffic. And I think it was in the UK, it was like the fourth day with more Internet traffic of the whole month. And there was a lot of days during Black Friday week. So it was like the Friday before Black Friday. So it's like, yeah, they start looking to see what deals are coming or checking up or things like that. And I think department stores are also sending emails already. It's the weekend before. So this I'm showing here, this is the human traffic, human Internet traffic in the US with Cyber Monday with the day with higher traffic, Black Friday, the second one and the dip on Thanksgiving, less traffic. It worked this year because I got a deal on something I couldn't believe I got a deal on, which was a graphics card. I thought graphics cards, but I guess with all the Bitcoin mining that's disappeared or the Ethereum stuff where people proof of work doesn't matter anymore. I'm guessing the graphics cards you can get deals on. So I got a graphics card, so I'm happy. If you're happy, I'm happy. I actually got a new set of AirPods. Oh, I probably should get one. My headphones here are literally falling apart. So it's probably time I got myself some new headphones. Yeah, always in trying to get something from these days. But to be honest, the promotions aren't always real. No, it's true. There we go. Cyber Monday really is the day. That's good to know. It is. It is in the US at least. In others, not necessarily, but it makes sense. The Thanksgiving is there. And I really think the interesting thing about Cyber Monday is people are looking more at later part of the day on Cyber Monday. It's like the fear of missing out. It's almost time. Let me see not only the latest promotions, but also did I miss something? I already bought a few things on Friday, but I want to be sure that there's not a better business or better price now. So I think that also plays a role here. Now I think about it. I think I bought my video card in the middle of the afternoon on Cyber Monday. So it checks out. It checks out. Exactly. Yeah, a few different interesting trends there for sure. But it's interesting to see how traffic flows during those days. And it has a real world impact, which is always interesting to see, to be honest. Oh, well, more trends to show. Actually, this week, why not speak about it? SpaceX, in this case, had a small outage yesterday, actually. So the first day of December, don't know why. So they didn't explain why, but we can see on radar clearly a dip there. So all of these things are still happening, of course. Someone tripped over the wire that goes up to the satellite and disconnected it. It's possible. It's possible. And, of course, a lot of talk about Twitter continues with Elon Musk on the news constantly. But why not? There's a thing that we can actually discuss, which I think is really interesting, is OpenAI, the company that does a lot of work on AI stuff, just released a chat that people can ask questions to their AI and their AI replies. And you can go from, hey, write code to do this, or just explain to me what's the meaning of life, things like that. You can go philosophical or just really technical. And it always gives a reply. But the thing is, the differences between replies are really amazing. So the system seems really to be sure at all times, which sometimes is a little bit worrisome, I think. What do you think about it? I agree with you. And if you ask it something that's perhaps not very concrete, it always comes up with a reply. And sometimes it gets things horribly wrong. It seems to think I'm married to a woman called Claire and living in the UK. You did that test, right? It's going to be news to my wife. But there is something very interesting. So I put up on the screen here, chat GPT, and it can write code. And it can certainly write code that is very short chunks of code pretty easily. And I'm fascinated by this. So I'll do a live demo and we'll see if this works out. But I had tried this earlier on, as I said, write a Cloudflare worker that returns a magic eight ball response. So in the US, they have these things called magic eight balls, which is this sort of round ball and you shake it and slowly words appear. And it's actually a fascinating, simple device, but words appear, giving you a sort of slightly vague sort of suggestion. Essentially, the idea is you ask the magic eight ball question. So there's a set of standard responses which are inside it. It's totally mechanical. It's actually based on a liquid inside it. So what if you wanted to write a Cloudflare worker that returns a magic eight ball? Well, chat GPT will actually write this for you. So I hope this actually works now if I do it live, because I did it earlier. And it knows that people write often in JavaScript. And these are actually the answers that come from a real magic eight ball. Things like Outlook, not so good. And it writes code that randomly selects ones and returns it. And I've actually taken this and deployed it. And it works perfectly. This word, it just works. And more amazingly, earlier on, I was chatting with Celso in the office, and we said, can we make it write something a little bit more complicated? And so here in Portugal, we all have a thing called a NIF. And a NIF is your tax ID. And it's a very important number. It's probably the most important number that every Portuguese person knows, because it's used all over the place. And you can validate it because it has a certain format. And so we said, can GPT-3 do that? So let's do this live. I love live demos. Write a Cloudflare worker to validate a Portuguese NIF. Let's see if it knows what a Portuguese NIF is. It knows what a Portuguese NIF is. It knows. And not only that, but it knows the format. And it writes the code. It has to be nine digits long. That's correct. Everyone has a nine-digit NIF in Portugal. And this is actually implementing it in a slightly different way to the last time it implemented, but it implements check digit algorithm for the NIF. Now, the last time it implemented this, it implemented it totally correctly. We looked at it. This one, I haven't actually checked, this particular implementation. But it's pretty fascinating that it is able to take a simple piece of context, like Portuguese NIF, written in English, and come up with the code for it. And so I think if you are writing worker's code and you want to have a quick start, one thing you can do is go in here and ask it to write some code for you. And what I'm going to do is, because the jackpot is very big, I'm going to ask you to write Cloudflare worker's code to pick EuroMillions numbers. I'm going to win the lottery this weekend. Oh, God. And let's just do this. So we're going to write ourselves a little thing, and we'll get some EuroMillions numbers. And that is correct. EuroMillions is actually five numbers between 1 and 50, and two lucky stars between 1 and 12. So there you go. This is going to give you your EuroMillions numbers. So if anybody out there uses this code and wins, I guess they should thank their lucky AIs. Lucky AIs is a good way to present it, for sure. It is very, very interesting. And it is a huge helping hand if you want to get something up and running very quickly. And check it out. Yeah, it's really interesting. And see some use cases that are popping up by on the Internet is really engaging, for sure. But there's also some questions, like, because it's really short on some of the things. So you must know that you must put things to the test when you do this. May that be, like, world information about something that happened, or just... But it's amazing how much it has already in terms of information. It goes about translating, goes about learning. It seems like Wikipedia is there. All of the libraries of code are there. There's so much stuff there. Yeah, it's really incredible. I thought it would be, like, more better, more raw, and it's really already, like, a finished product, in a sense, which is amazing. Now, I did get it to write me a Cloudflare blog post. And I asked it to write me a Cloudflare blog post about why you should lubricate your Internet connection with olive oil. And it wrote one, and it was fascinatingly wrong, because you should definitely not put olive oil on your Internet connection. But it wrote a pretty convincing argument that it was going to be better. So apparently, it would reduce oxidation. It would help things flow clearly. And because olive oil is viscous, it would stick to the connection nicely. Utterly fascinating. But please do not lubricate your Internet connection with olive oil. Unless, as the blog post actually said, you'd use high -quality olive oil, and not just the stuff you use for cooking, apparently. Actually, we have good, high-quality olive oil in Portugal. We do. Maybe this is going to be a major thing, Portuguese Internet lubrication. Exactly. But don't put all your chips on AI, in terms of being ready to take things from there. I'm, like, scared how much it has certainty of what it puts out there, which is interesting. It's so certain. And sometimes it's so wrong, but so certain, which is kind of amazing. It is. Although, I'm very, very fascinated by the ability to use machines, in this case, intelligent machines, as things to augment us and help us get better. Completely. And a full list there. A full list. In seconds. It tells you, literally, to use a clean cloth or paper towel, apply a small amount of olive oil to the connectors on both ends of the ethernet cable. Please, listeners, do not do this. Do this. This is a really bad idea. It is. Lubricate your Internet connection with olive oil. It was a good segment, for sure. It would allow for people to dig into. Actually, just to end things, this reminds me of Dr. No on the Spielberg's AI movie. You asked Dr. No, which was the voice of Robin Williams, something, and it replied. It was like, in a sense, this reminds me of that. Because you ask questions in that AI movie service. Well. There you go. We're getting there. Slowly. Slowly. And that's a wrap. Thank you, John. See you next week. Thanks very much. And that's done. There you go. Great. Thanks, Joel.