Writing


How to prevent developer burnout

Earlier this year, I led a joint research project between engineering productivity business Haystack Analytics and polling firm Survation, to understand the impact of burnout on developers. While there have been attempts to survey developer communities before, this represented the first time representative opinion polling was used to understand software engineers. When it came to burnout, the results were shocking. We found that 83% of software engineers reported that they were suffering from b

EngProd: The Secret of Elite Developer Teams

For companies to be successful, it is important to be able to get new ideas in front of users quickly, so you can keep up with the market and iterate based on real-world feedback. When technology teams find themselves unable to keep up with the pace of product development, they become the blockers of an organization. Ineffective technology leaders will pressure their developers to ship ever more work, causing developer burnout and software instability. By contrast, effective technology leaders

How Data Science Can Drive DevOps Growth - DZone DevOps

To improve, you must measure. Without measuring, you are left reading tea leaves with no understanding of whether you're closer, or further away, from your ultimate goal. Data provides the essential feedback to truly understand how well we're doing—indeed, it often surprises us. This concept is of fundamental importance for Engineering Managers and one I realized the importance of after reading The Goal by Eliyahu Goldratt. Indeed, as many successful organizations do, I had it as my main piece

How To Assess And Improve Your Software Engineering Team's Performance | Hacker Noon

How To Assess And Improve Your Software Engineering Team's Performance Suppose your SRE team has just rolled out a brand new fully self-serve Kubernetes infrastructure, how do you show your boss that it's helped the engineering team deliver faster? Imagine your product engineering team has finally managed to pay down some tech debt through refactoring, how do you show the Product Manager that it was worthwhile for helping your team deliver business value in the long term? As an engineering ma

North Korean Hackers Hide in Plain Sight | Hacker Noon

On the evening of the 25th January 2021, Google’s Threat Analysis Group published details of a campaign targeting security researchers attributed by them to “a government-backed entity based in North Korea”. Google described the attack as using a “novel social engineering method”. Social engineering usually describes attacks that target the human factors of computer security, such as by using phishing emails or phone call impersonation. Whilst highly-competent security experts may consider them

3 Software Ownership Models and Joint Care for Dev Teams | Hacker Noon

In traditional software operations, software would be "thrown over the fence" to operations teams. Technical operations teams would be aided in operating a service using Standard Operating Procedures (SOPs). With the advent of practices like DevOps and the growth in hiring SREs (Site Reliability Engineers), development and operations are increasingly unified. This has allowed "chore" work like deployments and maintenance to be automated. Standard Operating Procedures still play a role in this w

Using data science and machine learning for improved customer support

In this blog post we’ll explore three tricks that can be used for data science that helped us solve real problems for our customer support group and our customers. Two for natural language processing in a customer support context and one for identifying attack Internet attack traffic. Through these examples, we hope to demonstrate how invaluable data processing tricks, visualisations and tools can be before putting data into a machine learning algorithm. By refining data prior to processing, we

Time-Based One-Time Passwords for Phone Support

As part of Cloudflare’s support offering, we provide phone support to Enterprise customers who are experiencing critical business issues. For account security, specific account settings and sensitive details are not discussed via phone. From today, we are providing Enterprise customers with the ability to configure phone authentication to allow for greater support to be offered over the phone without need to perform validation through support tickets. After providing your email address to a Cl

Project Crossbow: Lessons from Refactoring a Large-Scale Internal Tool

Cloudflare’s global network currently spans 200 cities in more than 90 countries. Engineers working in product, technical support and operations often need to be able to debug network issues from particular locations or individual servers. Crossbow is the internal tool for doing just this; allowing Cloudflare’s Technical Support Engineers to perform diagnostic activities from running commands (like traceroutes, cURL requests and DNS queries) to debugging product features and performance using b

Pwned Passwords Padding (ft. Lava Lamps and Workers)

The Pwned Passwords API (part of Troy Hunt’s Have I Been Pwned service) is used tens of millions of times each day, to alert users if their credentials are breached in a variety of online services, browser extensions and applications. Using Cloudflare, the API cached around 99% of requests, making it very efficient to run. From today, we are offering a new security advancement in the Pwned Passwords API - API clients can receive responses padded with random data. This exists to effectively prot

Concise Christmas Cryptography Challenges 2019

Last year we published some crypto challenges to keep you momentarily occupied from the festivities. This year, we're doing the same. Whether you're bored or just want to learn a bit more about the technologies that encrypt the internet, feel free to give these short cryptography quizzes a go. We're withholding answers until the start of the new year, to give you a chance to solve them without spoilers. Before we reveal the answers; if you manage to solve them, we'll be giving the first 5 peopl

Banking-Grade Credential Stuffing: The Futility of Partial Password Validation

Recently when logging into one of my credit card providers, I was greeted by a familiar screen. After entering in my username, the service asked me to supply 3 random characters from my password to validate ownership of my account. It is increasingly common knowledge in the InfoSec community that this practice is the antithesis of, what we now understand to be, secure password management. For starters; sites prompting you for Partial Password Validation cannot store your passwords securely usi

Ten new data centers: Cloudflare expands global network to 165 cities

Cloudflare is excited to announce the addition of ten new data centers across the United States, Bahrain, Russia, Vietnam, Pakistan and France (Réunion). We're delighted to help improve the performance and security of over 12 million domains across these diverse countries that collectively represent about half a billion Internet users. Our global network now spans 165 cities, with 46 new cities added just this year, and several dozen additional locations being actively worked on. Our expansion

Optimising Caching on Pwned Passwords (with Workers)

In February, Troy Hunt unveiled Pwned Passwords v2. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security. In supporting this project; I built a k-Anonymity model to add a layer of security to performed queries. This model allows for enhanced caching by mapping multiple leaked password hashes to a single hash prefix and additionally being performed in a determ

Going Proactive on Security: Driving Encryption Adoption Intelligently

It's no secret that Cloudflare operates at a huge scale. Cloudflare provides security and performance to over 9 million websites all around the world, from small businesses and WordPress blogs to Fortune 500 companies. That means one in every 10 web requests goes through our network. However, hidden behind the scenes, we offer support in using our platform to all our customers - whether they're on our free plan or on our Enterprise offering. This blog post dives into some of the technology that

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

GL.iNet GL-AR750S in black, same form-factor as the prior white GL.iNet GL-AR750. Credit card for comparison. Back in April, I wrote about how it was possible to modify a router to encrypt DNS queries over TLS using Cloudflare's 1.1.1.1 DNS Resolver. For this, I used the GL.iNet GL-AR750 because it was pre-installed with OpenWRT (LEDE). The folks at GL.iNet read that blog post and decided to bake DNS-Over-TLS support into their new router using the 1.1.1.1 resolver, they sent me one to take a l

What's Changed? Only running PHPUnit Tests for Changed Classes

Last night I was working on adding some features to a pretty large PHP project, the project had incredibly thorough Unit Testing. Whilst having too few Unit Tests is common issue for developers, in this case I was experiencing the exact opposite challenge; there were too many tests. The project had hundreds of thousands of Unit Tests (in some cases they really constituted Integration Tests) and it would take upwards of 40 minutes to run the entire test suite. After running a single change it si

Privacy-Protecting Portable Router: Adding DNS-Over-TLS support to OpenWRT (LEDE) with Unbound

If you want to skip ahead to instructions, scroll to the next section. But I, like a TLS handshake, am very verbose so please enjoy this opener. Imagine this scenario - I'm at a restaurant and need to have a private phone conversation but unfortunately my phone's battery is drained. To get around this problem, I borrow my friend's phone and dial the number - to protect my privacy I walk outside. When I'm done with the call, I come back inside and return the phone. Whilst the phone itself doesn

How Developers got Password Security so Wrong

Both in our real lives, and online, there are times where we need to authenticate ourselves - where we need to confirm we are who we say we are. This can be done using three things: • Something you know • Something you have • Something you are Passwords are an example of something you know; they were introduced in 1961 for computer authentication for a time-share computer in MIT. Shortly afterwards, a PhD researcher breached this system (by being able to simply download a list of unencrypted pa

Validating Leaked Passwords with k-Anonymity

Today, v2 of Pwned Passwords was released as part of the Have I Been Pwned service offered by Troy Hunt. Containing over half a billion real world leaked passwords, this database provides a vital tool for correcting the course of how the industry combats modern threats against password security. I have written about how we need to rethink password security and Pwned Passwords v2 in the following post: How Developers Got Password Security So Wrong. Instead, in this post I want to discuss one of
Load More Articles
Close