Junade Ali

Hello! I'm Junade; I am a software engineering manager, author and computer scientist.

I have experience in a variety of areas; from road traffic engineering to financial services, web development to internet infrastructure. I have also done high-impact research work in computer security and Operations Research.

Over the past few years; I've written books, blog posts, scientific papers and given conference talks and interviews. This website archives various my blog posts, published works, recorded talks and press coverage of my work. On this home page you can find my biographical sketch and a selection of these works.

Biographical Sketch:

Junade Ali is a British computer scientist with specialist knowledge of computer security, distributed systems and software design. His software engineering experience has varied from being the lead developer of the then largest digital agency in the UK (by headcount) to developing software for embedded systems used in mission critical road safety applications.

At the age of 17, he started a post-graduate Masters, and was later awarded a Distinction and “Best Overall Masters” award for a thesis based of his earlier conference paper “Coverage and Sensor Placement for Vehicles on Predetermined Routes - A Greedy Heuristic Approach”. Junade currently holds Chartered Engineer regulatory status (the terminal qualification in engineering in the UK).

Junade designed the anonymity models that powers the Pwned Passwords service, leading to industry change in password security measures (by companies including 1Password, Okta, Apple, Google, LastPass, etc).

With specialist experience in refactoring legacy software and software design, Junade has published multiple books on software engineering, including the best-selling title: “Mastering PHP Design Patterns”.

Currently, Junade holds the position of Support Operations Engineering Manager at and is working part-time on a PhD in theoretical computer science.

Junade can be found on Twitter as @IcyApril.

Selected Works

The IET - From apprentice to Chartered Engineer: at just 24

“As studying took a larger share of my time, I took a role working with embedded electronics for road traffic systems at a more traditional engineering firm,” he says. “About five years ago I was headhunted by an internet infrastructure and cybersecurity firm I had always wanted to work for.” Now an Engineering Manager, Junade leads an Operations Research team in charge of developing technologies in Artificial Intelligence and formally verified software to drive improvements in cybersecurity an

The Verge - Have I Been Pwned — which tells you if passwords were breached — is going open source

These days, we almost take it as a given that piss-poor security will inevitably expose some of your usernames and passwords to the world — that’s why 2FA is so important, and why you might want a password checkup tool like the ones now built into every modern browser (well, Safari is coming soon) so you can quickly replace the ones that were stolen. But nearly all of those password checkup tools owe something to Troy Hunt’s Have I Been Pwned, which was kind of a novel idea when it first launch

Using data science and machine learning for improved customer support

In this blog post we’ll explore three tricks that can be used for data science that helped us solve real problems for our customer support group and our customers. Two for natural language processing in a customer support context and one for identifying attack Internet attack traffic. Through these examples, we hope to demonstrate how invaluable data processing tricks, visualisations and tools can be before putting data into a machine learning algorithm. By refining data prior to processing, we

Time-Based One-Time Passwords for Phone Support

As part of Cloudflare’s support offering, we provide phone support to Enterprise customers who are experiencing critical business issues. For account security, specific account settings and sensitive details are not discussed via phone. From today, we are providing Enterprise customers with the ability to configure phone authentication to allow for greater support to be offered over the phone without need to perform validation through support tickets. After providing your email address to a Cl

Project Crossbow: Lessons from Refactoring a Large-Scale Internal Tool

Cloudflare’s global network currently spans 200 cities in more than 90 countries. Engineers working in product, technical support and operations often need to be able to debug network issues from particular locations or individual servers. Crossbow is the internal tool for doing just this; allowing Cloudflare’s Technical Support Engineers to perform diagnostic activities from running commands (like traceroutes, cURL requests and DNS queries) to debugging product features and performance using b

Optimising Caching on Pwned Passwords (with Workers)

In February, Troy Hunt unveiled Pwned Passwords v2. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security. In supporting this project; I built a k-Anonymity model to add a layer of security to performed queries. This model allows for enhanced caching by mapping multiple leaked password hashes to a single hash prefix and additionally being performed in a determ

The Register - Firefox hooks up with HaveIBeenPwned for account pwnage probe

Firefox has started testing an easier way for users to check whether they're using an online service that has been hacked, through integration with Troy Hunt's HaveIBeenPwned database. The hookup will work like this: part of a user's email address is hashed, and this hash is used to check if the address appears in HaveIBeenPwned's database of 5.1 billion email addresses linked to compromised internet accounts. The “Firefox Monitor” test will start with 250,000 users, mostly in the US, accordin

TechRepublic - Mozilla’s new Firefox service can tell users if they’re a victim of a data breach

Mozilla is integrating with the online tool Have I Been Pwned to alert users if they are at risk following website hacks. Mozilla is now offering the ability to check if Firefox users have been the victim of data breaches through the new Firefox Monitor service. The service uses the dataset of the popular website Have I Been Pwned? (HIBP), which collects and analyzes the database dumps disseminated in the darker corners of the internet. From this dataset, both users of HIBP and Mozilla's Firefo

Ars Technica - Find out if your password has been pwned—without sending it to a server

A new system that securely checks whether your passwords have been made public in known data breaches has been integrated into the widely used password manager, 1Password. This new tool lets customers find out if their passwords have been leaked without ever transmitting full credentials to a server. Security researcher Troy Hunt this week announced his new version of "Pwned Passwords," a search tool and list of more than 500 million passwords that have been leaked in data breaches. Users can a

Validating Leaked Passwords with k-Anonymity

Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security. I have written about how we need to rethink password security and Pwned Passwords v2 in the following post: How Developers Got Password Security So Wrong. Instead, in this post I want to discuss one of

The Curious Case of Caching CSRF Tokens

It is now commonly accepted as fact that web performance is critical for business. Slower sites can affect conversion rates on e-commerce stores, they can affect your sign-up rate on your SaaS service and lower the readership of your content. In the run-up to Thanksgiving and Black Friday, e-commerce sites turned to services like Cloudflare to help optimise their performance and withstand the traffic spikes of the shopping season. In preparation, an e-commerce customer joined Cloudflare on the

Performing & Preventing SSL Stripping: A Plain-English Primer

Over the past few days we learnt about a new attack that posed a serious weakness in the encryption protocol used to secure all modern Wi-Fi networks. The KRACK Attack effectively allows interception of traffic on wireless networks secured by the WPA2 protocol. Whilst it is possible to backward patch implementations to mitigate this vulnerability, security updates are rarely installed universally. Prior to this vulnerability, there were no shortage of wireless networks that were vulnerable to i

Boing Boing - The "anti-patterns" that turned the IoT into the Internet of Shit

Cloudflare presents a primer on "anti-patterns" that have transformed IoT devices into ghastly security nightmares. This JSON request instructs the alarm clock on every "alarmSound" event to send a HTTP request to the coffee machine. Whilst this may seem a simple and effective way of implementing the Pub/Sub pattern in HTTP, this poses a significant security risk. By not being able to validate if the receiver of the subscribed message wants the message or not, there is effectively a DDOS vu

IoT Security Anti-Patterns

From security cameras to traffic lights, an increasing amount of appliances we interact with on a daily basis are internet connected. A device can be considered IoT-enabled when the functionality offered by its Embedded System is exposed through an internet connected API. Internet-of-Things technologies inherit many attack vectors that appear in other internet connected devices, however the low-powered hardware-centric nature of embedded systems presents them with unique security threats. Engin

Caching Anonymous Page Views

M42 Smart Motorway in the West Midlands, UK; courtesy of Highways England. The load time of your website not only affects your search engine rankings, but is also correlated to the conversion rate on your site: • Walmart.com found that for every 1 second of page speed improvement, they experienced a 2% increase in conversion rate. • Greg Linden's presentation Make Data Useful demonstrated through A/B Testing every 100ms in page load time delays led to a 1% loss of sales for Amazon. • Kyle Rush

Mastering PHP Design Patterns

Back in 2010, MailChimp published a post on their blog, entitled Ewww, You Use PHP? In this blog post, they described the horror when they explained their choice of PHP to developers who consider the phrase good PHP programmer an oxymoron. In their rebuttal they argued that their PHP wasn't your grandfathers PHP and that they use a sophisticated framework. I tend to judge the quality of PHP on the basis of, not only how it functions, but how secure it is and how it is architected. This book focu