Basically zero information. They keep telling us how MelbourneIT is usually more secure but doesn't do on to tell us how it is any more secure than other registrars. More importantly, even with admin access to to their control panel how can it be so easy to change registry information of such high profile sites with a click of a button?
Devilishly clever marketing for Cloudflare, though. Clearly I need to spend my days on more bridge calls for situations affecting other ops teams that have nothing to do with me, so my company can put out a PR piece from a position of authority about how awesome we are. What exactly did a team of people at Cloudflare do today? Consult? Do you bill hourly or is it a friendly NYT discount? What was your plan connecting end users with recursive operators? Want them to manually flush their resolvers out of the normal DNS TTL protocol? Is that a service that comes with my Cloudflare subscription?
Next time a startup goes down, ask yourself: if I were on a bridge call with their ops team, could I use this to sell my company's reliability product? Clearly, the answer is yes.
Classy, too, jumping out in front of MelbourneIT's response then speculating on it. I would be furious about Cloudflare writing a details-thin "postmortem," headlining it as a postmortem, analyzing my initial statement to customers in it, then getting it on HN before DNS caches are even cold from the incident itself. It's not even subtle.
This is the sort of thing I remember in discussions about using Cloudflare. There's lots of choices for CDNs, a market growing surprisingly full of ambulance chasers: one CDN startup had the fucking courage to email me directly after a hellish multi-hour outage and say "want to set up a call to discuss how our product could have prevented this outage?" I was still awake from fixing the problem overnight and no, your CDN is not going to fix my catastrophic DB failure. Get bent.
This is a disgusting move by Cloudflare. The little human network signoff made me gag; don't forget, small ops teams, you will only get things done if you know people. Notice HuffPo wasn't on the call? Exactly.
No shit... it almost reads like a hit-piece on MelbourneIT (damning with faint praise).
But at least they rode in with some knights from the mighty Google and OpenDNS to patch some caching issues and release a State of the Domains address.
Meanwhile the empires of NYT and Twitter were left being ravaged by hordes of Syrian Ninjas and an overseas registrar.
Didn't they pull a similar story telling people an attack on them by Cyberbunker impacted the London Internet Exchange, prompting quite some pandemonium?
I remember there being a more somber post after the whole incident by another blog detailing just how little fluctations there were on the alleged day of the incident, and how the numbers didn't stack up.
This is known as 'inserting yourself in the news story' and it works well as a marketing trick but in this case cloudflare is actually part of the story because the NYT (one of the affected sites) and cloudflare did communicate on the subject. The more peripheral the link the trickier it is, in this case (a first order contact with the affected party which was initiated by cloudflare) I think it is fine to issue some statement, but not necessarily this statement.
Before leaving my comment, I searched and searched for any shred of reason for CloudFlare to release this inappropriate statement, including reading all of Rajiv's timeline. Obviously, since I left the comment, I came up empty.
Can you point to what you feel makes this statement appropriate on behalf of your company? I can't identify what annoys me most about it, because there are many things: the "it's who you know in ops" attitude that I've been fighting for my entire career, the creation of a Batman-esque hero at a startup CDN provider who assembles a team to guide the lesser ops teams through a crisis, the overdramatizing of a DNS hijack that happens countless times daily (just with an interesting vector this time, but certainly not the first of ITS kind, either), speculating on another company's statements, preempting an official response with your own "postmortem" to score some traffic...
It's particularly frustrating because I've been in this exact scenario, to the T and including a registrar compromise, before. But because my personal side project doesn't have name pull, I didn't get a CloudFlare Crack Squad on speakerphone calling in a dozen courtesy phone favors to score my contract. And I had to wait for tickets and TTLs like everyone else. That sounds bitter -- and I hate bringing it up for that reason -- but that's why this is ethically shitty. Either you're playing favorites or capitalizing on something for sales. There is no third option, not even an altruistic one.
No good deed, it seems, goes unpunished by those upset they're not getting enough attention. May I suggest you read the end of the NYT CTO's recently updated blog post:
That wasn't remotely the thrust of my comments and you know it. I also (correctly) predicted you would hop on the bitter swan song instead of, you know, the half-dozen reasons why this sucks immediately prefacing it. Also, that's two employees who have posted Rajiv's words as rationale for the blog post; can we go for three? Shouldn't you be hiring Rajiv at this point, as hard as you're riding him?
Address something smaller and bite-sized, like preempting MelbourneIT's statement with your own and speculating on their behalf. Can you at least defend that inappropriateness? Can we start there?
Your company provided guidance and connections, which makes this statement inappropriate. Or did CloudFlare do something that has been left out of all statements?
I am not annoyed by your "good deed". I'm annoyed by how hard and how inappropriately you are capitalizing upon it as a PR coup, before the ashes have even settled. The victim tone is discouraging for this conversation, I have to say, and it's quite unbecoming.
