Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers
The Irish writer Brendan Behan once said, “There is no such thing as bad publicity, except your own obituary.” Minus the second half, the quotation has proven remarkably durable, and over the years has been widely applied to pretty much any circumstance when public people or organizations find themselves caught up in swirls of publicity or infamy not entirely of their own making.
Ask Matthew Prince, the CEO of Cloudflare, a Web security start-up that offers free protection to practically any Web site. The service has won praise from many quarters for its ease of use, its ability to keep sites running even when their servers have problems, and its tendency to incrementally speed up the performance of Web sites that use it.
What Prince didn’t expect was the praise he’s gotten from the infamous hacker troupe LulzSec. This is the group that has taken credit for, among other things, planting a fake news story about Tupac Shakur on a PBS Web site and harassing Sony by attacking some of its sites, and which recently publicly warned Britain’s National Health Service about its own lax cybersecurity.
LulzSec’s site has been barraged by numerous attacks, many thought to have been launched by rival groups wanting to score some street cred, meant to bring the site down. The thing is, that’s exactly the sort of thing that Cloudflare is built to help a Web site — any Web site — withstand. LulzSec signed itself up for the service as any other customer would and has tweeted its appreciation: “We love Cloudflare,” they messaged on June 2.
That’s put Prince in a peculiar situation. LulzSec has for now supplanted both Anonymous and Wikileaks as the Internet’s public enemy number one, both for the sheer boldness of their attacks and for their comically arrogant manner, having racked up more than 120,000 followers on Twitter in just a few days and offering an interview to a TV host on the condition that she conduct the interview while mud-wrestling. “If I had my choice of a marquee client to show off the abilities of our service, this is certainly not who I would have chosen,” Prince told me in an interview. “We’re very sensitive to the sort of problems that groups like this have caused.”
But there are benefits both for Cloudflare as a business and for others who use it. First off, LulzSec’s praise has generated new buzz for Cloudflare that has led to more people signing up. Just this morning I found numerous examples of people saying they had signed up for Cloudflare based on the LulzSec buzz. Prince says Cloudflare is adding roughly one new site a minute. “There’s definitely been a spike,” he told me.
But there’s a second benefit, one that ultimately helps all Cloudflare customers. For every attack that’s launched against a Cloudflare customer, the system gets stronger and better able to apply what is learned across its network for the benefit of everyone else. And so if you assume that the LulzSec site is a target for repeated attacks, whether sophisticated or not, every other Cloudflare customer enjoys the residual benefit.
That is, of course, how it was designed. Cloudflare had its genesis out of Project Honey Pot, a non-profit attempt to fight spam that created a distributed system for finding spammers and the bots they use to harvest email addresses. Launched in 2004, it was basically a hobby for Prince and the other founders — until the day in 2007 the Department of Homeland Security called and said it saw real value in the data the project had collected on how fraud is conducted online.
After a stint at Harvard Business School, Prince teamed up with fellow student Michelle Zatlyn. They crafted a business plan that essentially applied the Honey Pot model to the Web itself. They launched the company last year, backed by a $2 million Series A investment from Venrock Capital and Pelion Venture Partners. The 90-second video below sums the service up nicely.
Like Project HoneyPot, Cloudflare gets better as more people use it. The service uses distributed computing — it’s hosted in 12 Equinix data centers around the world — to keep its customers’ sites online when their servers crash or are attacked. It helps protect against commonly seen attacks, like denial of service attacks and malware bots. It’s also free to use, and pretty much anyone who operates a Web site can have it up and running in about 10 minutes. While most Web security outfits are aimed at helping large companies secure their stuff online, small operations have fewer options. On top of its free service, Cloudflare offers a Pro account for $20 a month. A more powerful offering aimed at enterprises is coming in the fall, Prince says.
So what’s Prince going to do about LulzSec? Nothing. However, if served a subpoena by a law enforcement agency, he would comply with it. Yet even then he doesn’t expect that information Cloudflare has on LulzSec would be useful. “When someone signs up with us they provide an email address and an IP address, and we know where their content is hosted,” Prince said. “But my hunch is that we have less information about where and who these people are than their actual hosting provider. But we’re an organization that follows the law. If compelled to do so, we would turn over what we have.”
And since Cloudflare isn’t hosting any LulzSec data, cutting the group off as a customer would not bring its Web site offline. “Their Web site would still be online. It just wouldn’t load as fast.”