Tag: security

Cloudflare

I’m looking into Cf for work. Beefing up our app’s edge in a bunch of ways is high up on our list of things to do this quarter: eg a web application firewall would be very nice, a cdn too for statics that we can purge (our frontend will soon be getting an upgrade to a fancy modern javascript framework – vuejs – which will make a purge button less important but for now we need one :)), ddos mitigation, etc. Yes. This will be most excellent to get started with.

Notes

Security

Feature nameDescription
Rate limiting
Monitoring
Cost
Threat protection
Web application firewall
SSL / TLS
DDoS protection

Performance

Feature nameDescription
Cdn
Load balancing
CachingHow is this different from the Cdn?
Resource optimizationsImage optimization
Mobile optimization

I’ll do a bit of digging into each of those Cf platform capabilities next. It seems bloody incredible!

20190914

Learned

  • Jenkins pipelines have 2 maps available: params, currentBuild that are hydrated by Jenkins itself and installed plugins on a job run

Read

  • https://www.schneier.com/blog/archives/2019/09/more_on_law_enf.html : More about intentionally adding backdoors to security tools. (This is still being talked about! Madness!)
  • https://technology.riotgames.com/news/down-rabbit-hole-performance-monitoring : keeping an eye on avg frame rates across game client releases by various dimensions. Process of finding the key metric to watch from a user’s point of view is neat.
  • https://jenkins.io/doc/book/pipeline/getting-started/

Data and Goliath

The state of surveillance. Imperfect awareness and controls allow for growth. People at the fringe of society come with new ideas. Possibilities. Perfect control can stifle thought.

Corporate and government. Different motivations. In some cases working together.

Privacy and freedom. Chilling effect. Behavioural adaptation. People don’t speak freely when they think they’re being listened to.

The security vs. privacy trade off. False. Do we want to build systems that are weakened for everyone or protect the people who use them? US Government has given intelligence agencies much leeway to do what they need to to protect. Usually happens around large events like Sept9/11.

Encryption. The one technical tool we have to really protect privacy. Available to good and bad alike to use. NSA and others don’t try to break it. Much easier to infect systems with malware, backdoors and collect / control that way.

Are we more secure for it? Bad things still happen all the time and we’re not able to intervene regardless of the amount of data collected on people. You have to be able to analyze it in a meaningful way. This is hard. Events we would care about are rare and don’t resemble each other in any meaningful way.

Legal framework needed. Oversight. Separation between collection and action. Trasparency in what intelligence community does. And strategic and tactical tools to make sure agencies are operating within bounds.

Whistle blower protection. Leakers + journalists need to be at least able to try to make the case that they were showing egregious disregard of laws around surveillance and eavesdropping. Right now there are no protections.

Suggests new behaviours for government, business, and us as individuals to change the direction we’re heading in. Favouring services that have good privacy practices, using encryption liberally, and engagement in the process for eg.

Ends by describing a challenge for our generation around figuring out how to balance group and individual privacy in our time when we’re clumsily rushing forward into dark places just because we have new toys and haven’t thought through moral implications largely. There are good uses of shared, community owned databases – he talks about a health / medical use case where we can learn about health + wellness as a good trade off towards group benefit. (Giving Google reams of data so that they may better advertise at us … not so much. :))

Great read. 🙂