 Thank you, Uncle Tuan. I did not know we were friends. Well, it's late on a Monday, so we'll try to be nice. So going right off, IBM CEO, Jini Rami, said that cybercrime is by definition the greatest threat to every profession, every industry, every company in the world. Do you have any thoughts on this quite interesting statement? Do you agree? I wonder what IBM is trying to sell. I think TOSTA's, by the X86. Actually, the interesting thing about cybercrime in general is that it's largely unreported. So I was talking to a very senior police officer in the UK who deals with cybercrime, and one of the problems they have is that nobody reports cybercrimes because they don't want to be embarrassed by them. And what happens is they arrest someone for a crime, and then they find all the other victims of that crime, and they find from the evidence that, oh, they hacked this one thing, but also another 10 companies. They reckon it's 10x underreported because companies are embarrassed to say they got hacked or breached or whatever. So I think cybercrime is like any crime. It's here to stay, and sometimes it's easy to do, so people do it. And it should be treated like crime. It is a crime, yeah. You should see law and order about it. Anyway, so in this session, how do we build a better Internet? So what's that mean for Cloudflare? So what Cloudflare means by that is that if you think about the growth of the Internet, how it ended up and where it is, it was fundamentally partly because they deliberately missed features out. So the original goal was to build a reliable network out of unreliable components that would allow people to just sort of bolt things together. It was built out of different layers that they don't necessarily know about each other. So, for example, in one country you might be using fiber optics, another one you might be using copper, but fundamentally you could bolt all this stuff together and make a global network. At the same time, they did not build in anything about security. They did not build anything in about making it perform extremely quickly. Now, that was great. It met its goals without any problem at all. Unfortunately, we came along and started expecting the Internet to be really fast and really secure, which it wasn't built to be. So when we talk about helping to build a better Internet, it's really about meeting those expectations, which is let's make it secure so we can do banking and all those things on the Internet. Let's make it fast. Let's make it available. We expect stuff to just work all the time. So that's what it is about. In a way, it's about patching those things. It's not that they were false, it's just that they were left out in the design of the original network. So I guess you could say that the Internet is sort of humanizing as more and more people use it. That certainly is. The real thing is it's become a fundamental part of everybody's daily life and you have to make it work. Earlier you said that companies, there's a question of face regarding this. So how do you think companies should have changed their attitude in terms of reporting cybercrime so that solutions can be built around it? Well, I think that one thing that happens is that companies that don't report cybercrime, it gets reported for them by the people who hack them because they'll come out with it. So it's actually better to get ahead of that and say, hey, we know this has happened to us. If you look at when people do get hacked, you can learn a lot about the company and the way they react, whether they try and cover it up, you just can't cover it up. I mean, if you manage to keep it completely secret, that's one thing, but you can't kind of pretend it half happened. You see people trying to obfuscate in the language they use. So if you do get hacked, you better just talk about it openly. And I think so many things get hacked. It'll probably become socially acceptable to say, yeah, us too, actually, this happened to us, and this is the extent of it. So I'm curious, as the guy sort of sitting on top looking down, what's a DDoS attack look like when it happens? Well, internally, a cloud fairy just looks like somebody mentions in one of our chat channels, oh, by the way, there's a big DDoS attack happening. So it's quite interesting the other day. I talked about the GitHub attack, which was 1.3 terabits per second. They went offline for eight minutes while they switched over. At the same time, the same people doing that DDoS, they were hitting us with about a terabit per second of traffic for one of our customers. And we didn't notice until somebody looked to one of the graphs and said, oh, look, there's a really big attack going on. Let's look at this. This looks interesting. That's because we architected our system to always have the DDoS attack stuff online constantly. You don't have to switch over to it. So mostly it just looks like somebody's saying, oh, there's an interesting thing going on. It's sort of an intellectual curiosity. Let's go take a look at it. And I assume all this is run back and heuristically and through AI and algorithms. Yeah, it's a mixture of things, right? So for specific attack technologies, but botnets, we will have gone in and actually built a signature for it. And we've given them all names. Internally, actually, they're all named after types of rum. I have no idea why they're named after types of rum, but everyone is a different brand of rum. So sometimes we'll start talking about there's a particular attack happening. But then there are others where we use learning because of that huge network and huge number of customers where we'll learn about a particular attack happening. So it depends. Some of it's heuristic, some of it's not. But as computing power and bandwidth just explodes in everyone's hands, are you guys always playing catch up? So it's interesting you say in everyone's hands because there are actually DDoS attacks that come from people's phones. So Android phones, there was, not very long ago, there was an attack where someone took over apps on Android phones and the phones actually started attacking people. So it is actually often in your hand. Are we playing catch up? In a way we are. I talked about that asymmetry between the attackers and the defenders. As the internet grows, they become more possible attackers. And so, yes, there is always going to be that asymmetry. On the other hand, I think we've got really quite good understanding against the really big volumetric DDoS attacks. We see that internally because we do it automatically. We've also seen it because we've watched attackers change tactics. So you'll see last September, Cloudflare announced that it would make DDoS mitigation completely free for all of our customers. The next day we got hit by the largest DDoS attack we'd ever seen because somebody was mad, wanted to knock us offline, that didn't work. And after that we saw a distinct drop in the number of volumetric attacks what people are now trying to do is go after the actual applications themselves. So they're trying to find out the weak spot in your application. So for example, I gave an example of Bitcoin. There was one Bitcoin exchange that got attacked. What they did was they figured out that the slowest thing that that exchange did was give you your balance in your wallet. And so they built themselves a botnet that continuously said, what's my balance? What's my balance? What's my balance? Because actually figuring out the balance had to go back to the database and that slowed the website down. So that's what people do. They look for the weak spot. And DDoS isn't a new kind of thing to be around forever, but what keeps it so fresh? It's easy. I mean $25 for 350 gigabits per second. I mean it's pretty cheap, right? I'll do it for 20. It's not very complicated, right? If you end up looking at the people who get arrested for running those services, they're not super, I mean they're going to be mad at me for saying this, but they're not actually that technically sophisticated. They just figured out some little flaw and they exploited it to make money. It's 20 bucks. 20 bucks, 25 bucks, whatever. Same. So should the government, should the security companies, should the guys protect our stuff? I mean should they be doing more to monitor potential zombies? Zombies of course being hacked computers. So the biggest thing we could do is deal with the problem where you can pretend to be the victim. So this what we call spoofing is really a big problem, which is you say, hey I'm victim, please send me lots of information. That problem of what's called IP spoofing is a really bad one. If you could stop that, that would stop a huge amount of attacks. It wouldn't stop everything, but it would solve a lot of problems. That requires a lot of cooperation between the different networks around the world. Because fundamentally the internet didn't have any protection against that built into it. So now you've got to get everybody to cooperate on, well we're not going to allow forgery in our networks. It's not actually a simple thing to solve. It sounds it, but it isn't. And you guys of course just released a new product with a very difficult name. I'm going to try. 1.1.1.1. Good, four ones. Yeah, four ones basically. Two piece signs is the brand. So maybe you could tell us a bit more about his service. Okay, so this is what's called a DNS resolver. A DNS resolver is a service or piece of software necessary for your computer or phone or whatever to translate a name like cloudflare.com or sginnovate.sg into an IP address. Fundamentally you have to do that. You have to use the IP address because that's what the computer understands. So use what's called a DNS resolver. Usually you use the one your ISP gave you. You don't even realize. Unfortunately DNS is not secure and can be quite slow. The ISP can be doing all sorts of tricks on you. So it can be inserting ads or it can be monitoring where you go on the Internet but just by looking at this DNS lookups. So we introduced our own 1.1.1.1. Easy to remember. And our big guarantee is that we're not logging what you're doing. We're not interested in where you're going on the Internet. We're not keeping those records. We even decided to get KPMG to come in and audit that we're not lying about that. The reason we're doing is it makes our service faster if you use it. It makes your Internet faster whatever you're doing. And it's completely private. And our people, I guess the guys who track what you do, are they happy about this? Yeah. Yeah. I mean there's tons. Actually the response to that has been overwhelming. We have some stickers that say 1.1.1.1. And I foolishly said on Twitter that if anyone needed some, I could send them some stickers. And that was a mistake. Can you send me some stickers? Yes, you can. You can email me. I have a folder which has got 180 emails in it saying please send me some stickers. Beauty of life. I got a CT of those and new stickers. So overall, how does Cloudflare keep this product evolving? I mean not just 1.1.1, but what's your general sort of attitude to the evolution of the product? So what we try to do is we think there are only a very small number of companies that really get to use the Internet to its fullest. We think about Google and Facebook and Ali and maybe Baidu. There's not very many. The reason they're not very many is because those companies have got the expertise and the experience and the time and the money to be at the latest levels of security, be at the latest protocols, the latest innovations. And fundamentally what we do is do that as a service. Oh, you want to have the latest that Google has? We'll select you as a service. So that really means is looking at what the next innovations are that are coming along and implementing them before everybody else. So in the previous talk, Sebastian spoke about TLS 1.3. TLS 1.3 is the new version of the security protocol we all use to access secure websites. We might think of it as HTTPS. We've had it implemented and public for over a year. It is only now starting to actually get used by people. Our goal is to always be well ahead so that you can always turn to us and go, oh, yeah, they're on top of it. Whatever the hell it is, they're on top of it. Now, just we don't have too much time left. I'm going to hit you with one of the fun ones. So of course, the big Facebook scandal is pretty up in the news. And it shows, I think without a doubt, that our information is traded publicly. That somewhere out there, someone knows I enjoy certain things. So is this something that can be done about this? Or is this just a consequence of a free and open internet? I think that's actually a question of social and government pressure, right? What is acceptable? And I'm not sure that people understood until now this Facebook scandal happening how easy it was for a company like Facebook to put together a sort of profile of your entire life. And people are seeing as they download their information for Facebook how pretty accurate they were about who you are. From information you voluntarily gave. And I think it really turns out that that's easy to do technically. This is no complexity about doing it technically. It's a question of what society and what governments want from these services. Fair enough. Beyond that, looking at Asia specifically, do you notice that sort of the DDoS attacks cybercrime we have here is unique? Or is it sort of just generalistic? So I'd like to say it's unique and make you feel special. But it's not really. So sadly, cybercrime and these attacks are a global phenomenon. You do get pockets of certain things. For example, there's quite a lot of gaming services in Asia and they get attacked. Wherever there's money, you're going to get attacked, right? You'll get political situations where things will happen. But honestly, I could probably rotate the globe to any location and say pretty much similar things happening around the world. The big thing for us is building out our data center coverage because there's a huge population here that needs to be really well covered. And we're doing that as we go forward. And do you think there are more that government's ISPs should be doing to keep us safe from DDoS? The answer is yes, but how? The answer is yes, and perhaps you can answer it for me. I think in terms of... I would go back to the thing about spoofing, about being able to forge something coming from it, that's something ISPs need to get together on. And I think the big thing for governments is what they already do which is trying to educate people about what's safe to do on the internet and where you're going. And there are some regulation things you can do, but the internet is not bad at regulating stuff. Now the internet is different from say Facebook, right? So the internet as a network is not bad. It has this strange voluntary run thing which actually keeps it all going. But we can make sure that people understand the things like DDoS attacks. Flores DDoSing each other is really quite surprising, right? When I first heard that, I was like, seriously? Yeah, that really happens. So just understanding that those things are out there and you need to protect yourself is vital. So I think we only have time for one more. So I guess I'd like to end off by asking what do you think are some of the key trends that we should be looking out for in the space, especially with regards to DDoS over the next couple of years? Well, DDoS is just going to get larger as the internet gets larger. I think that the, what we call the layer three, layer four, the network level, the big volumetric attacks is going to be a bit like the email spam problem. It's not going to go away, but we're not really bothered by it anymore. If you use a good spam filter, it's dealt with, right? If you're using Gmail, you don't really see spam. There's a folder with it in. So I think the volumetric DDoS stuff is really going to happen. But I think the attackers are really going to go hard against applications trying to find vulnerabilities in them. So I think that's going to be a really, really big thing that's going to happen. The other thing that's going to happen is 5G mobile telephone connectivity is going to put a lot of bandwidth in phones. And some of those phones are going to be very insecure and they're going to, we're suddenly going to find there's, you know, we'll see an attack from a 5G botnet of a bunch of people with really nice phones suddenly blowing up some website somewhere. Well, on that scary thought, could we have a round of applause for John, please? I'm going to assume a little bit of that was for me, so thanks. We have time for a couple of questions. So if anyone has some, please... I think there's the mic's up front here. One? Okay, yes. Thank you. A while ago, I read about cybersecurity when where, if I'm not mistaken, DARPA organized a competition where teams of hackers had to develop systems that would automatically hack the rival, try to hack the rival system by protecting itself from being hacked. This kind of development, do you see something that is going to make Internet more secure or more vulnerable? So are you specifically talking about hackers who hack each other? I'm talking about systems that are doing this in an automated manner. I mean, there are tons of those systems. One of the reasons why there are so many attacks, actually, is because a lot of the attacks are completely automated. There are tools you could download. Anyone with a moderate amount of technical skill could download and actually start deciding to try attacking a particular website. And there's a very large number of low-skilled people who will do that. I don't think that fundamentally actually makes things much more secure. It'd be nice to say it does because people are actually getting sensitized about this, but they don't seem to learn from the lesson. They could be using those tools to protect themselves, but they're not. So I don't necessarily think that actually helps that much. There's another issue which is related, which is hacking back when you're hacked and going after things. So in the case of the DDoS attack from the big memcache DDoS attack, everybody who defended about that knew that there was a way to shut down all the machines doing the attack. There was a simple way to do it. We could have gone in and done it, but it's actually illegal to go to one of those machines that you don't own and tell it to do something. And so we all sat there saying, we could actually switch this off, but we would break the law by doing so. And so you have a very dubious position where you try to go back and attack the attacker because the machines that were being used and bystanders, right, they were machines running on the internet being told to do something, and we could actually have gone and shut them all down. And we actually sat there with a script looking at it going, we can't actually run this because it would be against the law. You mentioned IoT in your last comment. Apart from potential volume of devices out there that could do more DDoS attacks, et cetera, what else do you see that's potentially more creative or more complicated or more fancy that IoT could bring to internet or risks that it could bring? So I mean, you're absolutely right about the DDoS threat. So we had that Mirai botnet, which was cameras and DVRs, which is the thing that took off Dyn in 2016. The thing is, if you think about computing, computing has all sorts of problems, right? Security, vulnerabilities, obsolescence, you know, things get out of date. As soon as you attach a computer to something, a toaster, a camera, a bicycle, you bring all those problems with you. So you've suddenly decided to bring all the problems of computing to that thing. So fundamentally, all these IoT devices, they're just computers and we just connected a lot of them. The big problem is that you may well think about updating the software on your phone when you get an alert saying, hey, there's a new version because you're worried about the security. I guarantee you nobody thinks about updating their toaster, right? Nobody sits there and thinks, hey, there's a new security patch for my toaster. I need to go get that. And so that leads to a situation where you're going to have a very large number of low-cost consumer devices which nobody updates and there are going to be vulnerabilities in them. And they're going to be connected to the internet. So they're going to be used for the various purposes. So the obvious ones are DDoS. Sending email spam is still popular. Your toaster could be spamming people. Your fridge could be doing that kind of thing. Storing files, people love to do that. Drop some files in there. But I think the bigger thing than that, that's sort of, that's happened for years with computers. Just there's a lot now attached to cameras or toasters or whatever. I think the bigger thing is the privacy implications. If those devices, if you have a camera on your front door and that camera can be hacked because it's got poor software, suddenly you've lost control of something which is fundamentally you wanted control of. So I'm curious what will happen in this area over time, whether we end up with something like, you know, so for example in the U.S. there's a thing called underwriters laboratories which certifies that electrical goods won't catch fire, right? Because we've gone through years of people dying and we've decided to have this kind of thing happen. Do we get to a point where there is some sort of certification that a device has some standards like, for example, it can auto-update itself? It isn't just, when you connect it to the internet it doesn't just open every possible connection and say, hey, come fiddle with me. I think we might get there if some of these things, you know, bad things happen with these devices. But, you know, the reality is the cheaper the device, the less likely it is to be secure at this point. Any more questions out there for John? So I can give you the PR answer or I can give you the real answer. So the real answer is that the CEO of Cloudflare one day said, literally one day said, we should do a DNS resolver because we can definitely make the fastest one out there. Because we built that network. Because that network is very close to everybody. If we put a DNS resolver on there, it's, as long as we don't screw it up, it's going to be very, very fast. And he said, we're going to get the address 1.1.1.1 which is almost impossible to get. Google had tried and failed. And we're going to launch it on April 1st and everyone's going to think it's a joke. Everyone in the company, me included, thought, oh, God, are we going to have to actually do this thing? And it actually worked. We take quite seriously this idea of building a better Internet, trying to make it faster and more secure. And this was one way of doing it. And one of the reasons why we had the very strong privacy guarantee is to say, look, this is a consumer thing. Go use it. It makes things faster. It also makes our service faster, right? So if you are a Cloudflare customer and somebody's using our resolver, then you're going to get to that website even faster. So there is a commercial benefit, but that's not really the driving factor to say, yeah, that's great. That makes us faster. We were already the fastest DNS for authoritative DNS. We couldn't really get any faster. So we had to go solve the resolver side of things. But we did it in a, look, let's just make it better for everybody. We don't mind if you're going to a website that's on us or not on us. Just make it faster. So I think there is a bit of a principle which is let's try and actually make the Internet better. And I think if you do, then you get side benefits of people look at the company and say, that's an interesting company. I might want to work with them or I might want to go work for them or get employees. About last February, so February 2017, we had a very bad security bug called, some people called it Cloudbleed. And we were really open about it and told everybody about everything that happened and all this kind of stuff. The sales team in London said, can you come to Berlin and visit Zalando, which is a huge retailer of Zalando in Europe, because they want to talk about this security bug. So I go, I fly to Berlin. I'm on the plane to Berlin. I said to the sales guy, so how long have they been a customer? And he says, they're not a customer. So I'm going to a non-customer to talk about this security bug. So I go and talk, their entire engineering team got together a thousand people and I went through everything we'd done. They found out that they wanted to switch from Akamai to Cloudbleed because we had the security problem. And what they said was, you were so transparent and open about it, we looked to ourselves and said, if we'd had a problem, we would have behaved like that. We want to work with that organization, not with the organization that obfuscates and never tells us the reality of what's going on. And so that was kind of a surprise to me. I do think having some sort of values and living by them does actually help I think we got time for one more. The new hype is in the cyber insurance. How do you see this from your perspective and your client? Do you kind of ensure what you fail to protect? So we have toyed with some sort of cyber insurance as part of our offering. If you're using our services, then maybe there's some insurance included or maybe there's some kind of insurance included, or maybe it changes the premium you're paying. It's almost certainly going to happen. I'm just not sure when. I think it's a bit like do you have an alarm on your house reducing the insurance you pay on your home. So that's definitely something that's going to happen. It's a question of exactly what the right offering is. But I would imagine sometime this year. I think we have time for one last one at the back there. Thank you for working. Does she want mine? Hello. Okay. Thank you very much. I have two small questions. First question is about what's your opinion of NIS and IST? Precisely what I'm trying to get at is how many backdoors they have. They have plenty I know. But I'd like to hear your answer. Second question is what is NIST in life easier? I don't know what NIST is. What is NIST? The National Institute of Standard in U.S. NIST. I have no idea how to answer that question about NIST having backdoors. We have the dual EC random number generator which was interesting. You'd have to go talk to the Americans and I don't know that 5G makes things that much worth it. It's great a bandwidth. So maybe it makes things a bit worth. I'm not terrified of 5G. I think from a DDoS perspective it's scary. Okay, I think we're done for the week and I have another round of applause for John please. Thank you. I believe there are refreshments in the back. Have fun and thanks for coming.